I want to create a dashboard where I can change the 'SessionId' in the following query, ideally I want to be able to select one from a dropdown list and the chart would refresh.
host="jedi-sit2" SessionId=7e88e1f8-f06c-4950-bedc-97b2ad51d0e6 | timechart mode(ui_process_memory)
Is this possible?
You can achieve this through simple xml forms. Here's an example of what it might look like, where there is a dropdown of available session ids that is populated by a Splunk search.
For more information/examples on forms, here's a link to the docs:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/Exampleform
<form>
<label>session_id_search</label>
<fieldset>
<input type="dropdown" token="session_id">
<label>Session ID:</label>
<populatingSearch fieldForValue="SessionID" fieldForLabel="SessionID" earliest="-7d@d" latest="now">host="jedi-sit2"
| dedup SessionID</populatingSearch>
</input>
</fieldset>
<row>
<chart>
<searchString>host="jedi-sit2" SessionId="$session_id$" | timechart mode(ui_process_memory)</searchString>
<title>Memory Usage</title>
<option name="charting.chart">line</option>
<earliestTime>-7d@d</earliestTime>
<latestTime>now</latestTime>
</chart>
</row>
</form>
Note that the latest Sideview Utils is 2.5 and while it's also available under a free license, you have to get it from the Sideview site at http://sideviewapps.com/apps/sideview-utils/ The LGPL version linked to is a much older version (1.3.5). There have been an enormous number of improvements, new features and bugfixes since 1.3.5 so make sure you're on the latest.
You can achieve this through simple xml forms. Here's an example of what it might look like, where there is a dropdown of available session ids that is populated by a Splunk search.
For more information/examples on forms, here's a link to the docs:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/Exampleform
<form>
<label>session_id_search</label>
<fieldset>
<input type="dropdown" token="session_id">
<label>Session ID:</label>
<populatingSearch fieldForValue="SessionID" fieldForLabel="SessionID" earliest="-7d@d" latest="now">host="jedi-sit2"
| dedup SessionID</populatingSearch>
</input>
</fieldset>
<row>
<chart>
<searchString>host="jedi-sit2" SessionId="$session_id$" | timechart mode(ui_process_memory)</searchString>
<title>Memory Usage</title>
<option name="charting.chart">line</option>
<earliestTime>-7d@d</earliestTime>
<latestTime>now</latestTime>
</chart>
</row>
</form>
http://splunk-base.splunk.com/apps/36405/sideview-utils-lgpl.
Please see the usage terms and conditions. But for reference it's the best
Where can I find out more about 'Sideview Utils'?
We have a licensed version of splunk
As @linu1988 said, Sideview Utils is a really powerful tool that you can use to make sophisticated dashboards and I highly recommend it.
If you are looking for something quicker, you may want to look into the Splunk views called "forms" that come included in the base splunk. They allow you to define dashboards with user inputs.
Sideview Utils has tools that allow you to do the same thing, and in the long term is a better/more robust solution, but if you are just looking for a quick answer, the keyword you are looking for is "form". "Splunk form".
Please refer to Splunk UI examples APP / Sideview Utils APP.
You can create dashboards with pulldown /dropdown modules to fill your session ids. Then pass the variable to the search in the dashboard panel. Thanks.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/Exampledashboard