Splunk Search

Simple search dashboard element

maradibs
New Member

Hi

We have just started using splunk with real data in my organisation, and to a start we're only using it to show and compare events from different types of logs

I'm looking for a way to have some form boxes in a dashboard, so my users just can input a value, and then this value is added to a already defined searchstring in the normal search window

Like i have a predefined search like sourcetype="platform_jboss_log" index="index1" "string"
So when inputting a value it would switch to a search window with the value defined and search is started

I have browsed around here, and in the 6.x dashboard examples not finding anything really useful. - Is this so much out of splunk usecase?

I just wan't to give my users a easy way to search for the stuff they need without they need to prefix their searches manually with sourcetype etc.

Thanks
Mads

Tags (2)
0 Karma

aholzer
Motivator

You can find basic form examples here.

The key words you are looking for are:

  • token: the name for the variable that the user can input
  • searchTemplate: the search with the user input
  • fieldset: the list of inputs available to the user

You need to define a text input (lets call the token "str"). You then need to incorporate the token "str" into your search string. Your searchTemplate will look something like this:

sourcetype="platform_jboss_log" index="index1" "$str$"

Note that I have put $ around the token, this is what allows Splunk to understand that it's a variable rather than a string.

Hope this helps

0 Karma

aweitzman
Motivator

It seems like your issue is you want the raw output, rather than the table- or chart-style output from @aholzer's great suggestions. If so, use <event> instead of <table>. Assuming you have a dropdown that produces a srcType value and a text input for your str value, you should be able to do something like this:

<row>
<event>
<searchString>sourcetype="$srcType$" index="index1" "$str$"</searchString>
</event>
</row>

Check out http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#event for your other options for this tag.

0 Karma

aholzer
Motivator

If you look at the link I provided in my answer you'll notice that the second example has a dropdown of sourcetypes. I feel like that's exactly what you are looking for.

Give them the dropdown of sourcetypes as the second example in the link (I suggest you do it dynamically) and a text input as the first example in the link show.

Hope this helps

maradibs
New Member

I have a long list of sourcetypes which different logfiles in our systems has defined.

(40-50 servers in a cluster with the same kind of logfiles, splunk is used as a centralized way to search in them)

Right now my users has to define sourcetype="blabla" in their search query for everytime they want to search in the a specific logfile.

I just want to give my users an easy entrypoint for searching in the different types of logs we have.

0 Karma

aholzer
Motivator

Not sure I'm understanding then. You could always set up a Splunk role, and as part of the role define a filter as [sourcetype="platform_jboss_log" index="index1"]. By doing this, it will apply that filter to every search the users with that role have. You'd simply have to set all users to have that new role.

Hope this helps

0 Karma

maradibs
New Member

Hi

Thanks for the answer

It's a bit like what i'm seeking, or not

I want it to make the search in the normal search app when pressing submit, so you can use the facilities that has. - What i see from the form examples it looks a bit.. restricted

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...