All Apps and Add-ons

Sideview Utils: How to set up a pulldown timerange and textfield form boxes for users to populate search queries?

the_wolverine
Champion

I'm trying to use a pulldown timerange to set multiple values based on the timerange, like this answer: http://answers.splunk.com/answers/91244/pulldown-module-statically-setting-two-values-per-pulldown-o...

But I'm having trouble also integrating the form boxes I want to populate the rest of my query. My query is something like this:

index=main $host1$ OR $host2$ OR $host3$ | timechart span=$span$ max(cpu) by host

I want the user to be able to enter the host values in the form then select a timerange which also determines the span using value setter. It works fine in simple XML other than I could not use pulldown magic to set the span based on a chosen timerange -- so switching to Sideview for more capabilities.

0 Karma
1 Solution

the_wolverine
Champion

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected.

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>

View solution in original post

the_wolverine
Champion

I got it working, Mr Sideview! I wish there was a specific example like this in the app -- but now this will do. I want to post it as a reference. In this example we want to automatically set the span based on the timerange because Splunk charting has a limitation of 1000 points that can be plotted (by default), we want to give the smallest span possible based on the timerange selected.

<module name="TextField" layoutPanel="panel_row2_col1">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 


 <module name="TextField">
  <param name="name">host3</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 3:</param> 


 <module name="TextField">
  <param name="name">host4</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 4:</param> 


 <module name="TextField">
  <param name="name">host5</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 5:</param> 


 <module name="TextField">
  <param name="name">host6</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 6:</param> 

 <module name="Pulldown" layoutPanel="panel_row2_col1">
    <param name="name">customTime</param>
   <param name="label">Select Timerange</param>
   <param name="staticOptions">
     <list>
       <param name="value">-60min,now,30s</param>
       <param name="label">Last 60 minutes</param>
     </list>
     <list>
       <param name="value">-4h,now,1min</param>
       <param name="label">Last 4 hours</param>
     </list>
     <list>
       <param name="value">-24h,now,2m</param>
       <param name="label">Last 24 hours</param>
     </list>
     <list>
       <param name="value">-7d,now,10min</param>
       <param name="label">Last 7 days</param>
     </list>
     <list>
       <param name="value">-30d,now,30m</param>
       <param name="label">Last 30 days</param>
     </list>
   </param>
   <module name="ValueSetter">
     <param name="name">customTimeSplit</param>
     <param name="delim">,</param>
     <param name="value">$customTime$</param>

<module name="Search" layoutPanel="panel_row3_col1">
<param name="search">
index=main $host1$ $host2$ $host3$ $host4$ $host5$ $host6$ | timechart span=$customTimeSplit[2]$ count by host
</param>
<param name="earliest">$customTimeSplit[0]$</param>
<param name="latest">$customTimeSplit[1]$</param>

sideview
SplunkTrust
SplunkTrust

Awesome. Yep that looks good. I have had an item in the roadmap for too long, to give the Pulldown module a native way of encoding more than one "value", so you don't have to pack it up with commas and then split it out with ValueSetters like this.

minor minor comment - autoRun="False" is meaningless and has no effect and you should remove it in case someone someday thinks it means something (which it doesn't). Cheers!

the_wolverine
Champion

Thank you, I'm cleaning that up now.

0 Karma

sideview
SplunkTrust
SplunkTrust

Can you post the XML here or put it in pastebin? I'm interested in the $hostN$ values - what happens when one of the three is empty? It looks like there would be a syntax error? Normally for $foo$ OR $bar$ OR $baz$ I would advise using a Sideview Checkboxes or CheckboxPulldown module, because those are designed to deal with the whole OR-expression work for you. But if you post the XML there may be idiosyncracies or simple fixes around the multiple-value thing with your timeranges and spans.

0 Karma

the_wolverine
Champion

I've modified it to integrate a template so now this is working properly...

<module name="TextField" layoutPanel="panel_row2_col1" autoRun="False">
 <param name="name">host1</param>
 <param name="float">left</param>
 <param name="template">host=$value$</param>
 <param name="label">Host 1:</param>

 <module name="TextField">
  <param name="name">host2</param>
  <param name="float">left</param>
  <param name="template">OR host=$value$</param>
  <param name="label">Host 2:</param> 

ETC.

index=main host=host1 OR host=host2 | timechart span=span max(cpu) by host

Now I just need to integrate the pulldown so that user can select timerange and set the span value based on the timerange selected.

0 Karma

the_wolverine
Champion

Got it working!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...