I am developing a set of Splunk dashboards that will be used by N different teams.
Each team has its own index (say indexA, indexB), and each of those indexes have 2 sources (sourceA1, sourceA2, sourceB1, sourceB2) etc.
All the indexes have exact schema (with different data for different teams) and so I want to have re-usable dashboards.
Which means that in my dashboard, I plan to have a drop-down (single-select), with a list of team names, which under-the-hood map to an index name and two source names. (1 to 3 mapping)
In my panels then I can create searches using those tokens and so the same dashboard will show team A's data or team B's data depending on which team is selected in drop-down.
Since our indexes are access-controlled, if a user from team A chooses team B in dropdown, he will see empty panels which is what is intended.
How do I do this!?
the drop down will define a key in a token.
example: token group
groupA => "index=indexA"
groupB => "index=indexB"
etc...
them in the search populating the panels, use the variable :
$group$ sourcetype=mysourcetype | timechart count by whathever
see the documentation for details :
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/tokens
They are many examples in the UI examples apps.
see https://apps.splunk.com/app/1603/
You can be more fancy by using macros.
And the roles permissions will enforce the access to indexes.
This is a comment for yannK's response.
I am unable to add comments 😞 Says I don't have enough permission.
yannK, I am not sure I understand your suggestion.
Here is a sample search driving one of the panels on the dashboard:
index=indexA source=sourceA1 [search index=indexA source=sourceA2 | fields somefield] | chart count by whatever
So, to make this search generic/token_based, I would need three tokens:
index=$index_name$ source=$source1name$ [search index=$index_name$ source=$source2name$ | fields somefield] | chart count by whatever
Please note that there is no pattern to the names of the source and indexes, I have just named them indexA or sourceA1 as examples. The names could be anything.