Splunk Search

Using a form value to create a chart in a saved search

Skippy
Explorer

Hi, my first question here so sorry if I use some stange terminology, I'll try and be as concise as I can!

To start from the beginnning:

I have a log which logs the Date, Time, Address, Name and Site of devices as they move around our sites.

Using Splunk, I can enter an address and it will search for that device in the logs. I've taught Splunk about my log file format so it correctly identifies the fields for username, address and Location. Cool!

Now I click on the Site field and I can select "Report on: top values by time" which gives me a neat chart with a timeline showing the Address and which sites it's been seen in over time. That's cool too, so I save the search and call it "Tracker" so I can use it later.

Now what would be really cool would be if I could create a (view? or app? I don't know what the correct term is) where my Helpdesk people can go to Splunk, enter an Address and see the chart generated for the Address of their choosing.

I've created the XML, I think it's installed as a view but it doesn't seem to work. The xxxx below is an address on our network.

    <form>
     <label>Tracker</label>
      <fieldset>
          <input type="text" token="address">
              <label>Address</label>
              <seed>xxxx</seed>
          </input>
          <input type="time" />
      </fieldset>
      <row>
          <chart>
              <title>Tracker Graph</title>
              <searchTemplate>sourcetype="Summary" $address$ | timechart count by Site</searchTemplate>
              <option name="charting.chart">column</option>
              <option name="charting.primaryAxisTitle.text"></option>
              <option name="charting.secondaryAxisTitle.text">Days Active</option>
              <option name="charting.legend.placement">top</option>
              <option name="height">300</option>
          </chart>
      </row>
    </form>

In the views dropdown menu, I now get a "Tracker" option. When I click this link, I get a nice form with a text imput where I enter the address. It searches and a box appears saying "Tracker Graph refreshed: today at 14:56:52" and a link "View Results". There's no chart in it though - I can't figure out why. 😞

If I click the link to View Results then I get taken back to the Splunk>Search page showing that it did a search for

sourcetype="Summary" xxxx | timechart count by Site

and there is a table showing the results. If I click the "Show Report" link from here, I see the chart that I want!

I really can't work out why my chart doesn't appear in the view I created.

Does all that make sense? What am I doing wrong here?

1 Solution

sideview
SplunkTrust
SplunkTrust

I just took a look adopting your example to work on my own data, and indeed it looks like there is a quite bad bug here that appears to have been introduced only recently.

What's happening is that the chart is appearing with an initial size of 0 pixels.

The root cause is that you converted this view from the simplified <form> syntax to the advanced XML syntax, and the conversion code unfortunately results in a height value of '300' instead of '300px'.

Manually edit the XML to change '300' to '300px' and you'll be fine.

View solution in original post

Doc_Yes
Splunk Employee
Splunk Employee

The values for heights can be in pixels (px), relative (em) or percentage (%).

To resolve the issue, 300 should be 300px.

<option name="height">300px</option>

I'll look into adding looser value support where integers without a trailing string are automatically converted to pixels.

sideview
SplunkTrust
SplunkTrust

I just took a look adopting your example to work on my own data, and indeed it looks like there is a quite bad bug here that appears to have been introduced only recently.

What's happening is that the chart is appearing with an initial size of 0 pixels.

The root cause is that you converted this view from the simplified <form> syntax to the advanced XML syntax, and the conversion code unfortunately results in a height value of '300' instead of '300px'.

Manually edit the XML to change '300' to '300px' and you'll be fine.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...