Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add a search text field input and index drop-down list to the top of a dashboard in simple XML?

Lowell
Super Champion
‎11-25-2014 09:30 AM

How can I easily add a "search bar" to the top of my own dashboards? Trying to add a quick and convenient way for less advanced splunk users to quickly execute a search without having to know SPL. I'm expecting 2 inputs. (1) simple search term(s), like a java class name or portion of an error message, and (2) a drop down to pick between a few indexes.

I want the search results to open a new browser window and not show up on the current dashboard. I'm thinking the user clicks on a "Search" button beside text input field and that opens the search view.

I know how to do this with Advanced XML, but now I'm trying to unlearn all of that. ;-( I was surprised not to find something like this in the simple_xml_examples app.

0 Karma
Reply

somesoni2
Revered Legend
‎11-25-2014 10:17 AM

Give this a try (workaround, instead of button , there will be table row that can be clicked)

<form>
  <label>Custom Search</label>
  <description/>
  <fieldset submitButton="false">
    <input type="text" token="filters" searchWhenChanged="true">
      <label>Search Filter</label>
    </input>
    <input type="dropdown" token="index" searchWhenChanged="true">
      <label>Index to Search On</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForLabel="index" fieldForValue="index">| eventcount summarize=false index=* | table index</populatingSearch>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table depends="$filters$">
        <searchString>| gentimes start=-1 | eval Filters=coalesce("$filters$","") | eval SearchString="index=$index$ ".Filters | table SearchString | eval Action="Search"</searchString>
        <earliestTime>0</earliestTime>
        <latestTime/>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown target="My New Window">
       <link>
          /app/YourApp/search?q=$row.SearchString$
        </link>
      </drilldown>
      </table>
    </panel>
  </row>
</form>
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 10:02 AM

If you ditch the open-in-new-window part that's super easy in SimpleXML using the graphical dashboard/form editor available since 6.1... if you have to keep that part then build it to open in the dashboard itself, then click the magnifying glass "Open in Search".

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...