It should work like a search app with sankey chart visualization. The running search should cause the sankey chart and stats table to update. Don't forget the time picker.
EDIT1
wide text box + submit button + separate time picker should work, too.
Hi hylam,
take this run everywhere dashboard to see how it can be done:
<form script="autodiscover.js">
<label>my_foo_selector Clone</label>
<fieldset submitButton="ture">
<input type="time" token="time">
<label>Select time range:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="text">
<label>Enter text to search:</label>
<default>*</default>
</input>
</fieldset>
<search id="viz_search">
<query>
<![CDATA[
index=_internal $text$ earliest="$time.earliest$" latest="$time.latest$" sourcetype=splunk_web_access NOT uri_path=*/static/* uri_path=*/app/* OR uri_path=*/manager/*
| rex field=referer "https?://.+?/.+?(?<referer_path>/[^\\?]+)"
| rex field=uri_path "/.+?(?<path>/.+)"
| rename referer_path as from path as to
| stats count by from to | sort -count | head 50
]]>
</query>
</search>
<row>
<panel>
<html>
<h2>Sankey</h2>
<div id="sankey" class="splunk-view" data-require="app/simple_xml_examples/components/sankey/sankey" data-options="{ "managerid": "viz_search", "height": 400 }">
</div>
</html>
</panel>
</row>
</form>
You must have the Simple XML dashboard example App installed https://splunkbase.splunk.com/app/1603/
Hope this helps to get you started and change / modify / add any additional charts as needed 😉
cheers, MuS
Hi hylam,
take this run everywhere dashboard to see how it can be done:
<form script="autodiscover.js">
<label>my_foo_selector Clone</label>
<fieldset submitButton="ture">
<input type="time" token="time">
<label>Select time range:</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="text">
<label>Enter text to search:</label>
<default>*</default>
</input>
</fieldset>
<search id="viz_search">
<query>
<![CDATA[
index=_internal $text$ earliest="$time.earliest$" latest="$time.latest$" sourcetype=splunk_web_access NOT uri_path=*/static/* uri_path=*/app/* OR uri_path=*/manager/*
| rex field=referer "https?://.+?/.+?(?<referer_path>/[^\\?]+)"
| rex field=uri_path "/.+?(?<path>/.+)"
| rename referer_path as from path as to
| stats count by from to | sort -count | head 50
]]>
</query>
</search>
<row>
<panel>
<html>
<h2>Sankey</h2>
<div id="sankey" class="splunk-view" data-require="app/simple_xml_examples/components/sankey/sankey" data-options="{ "managerid": "viz_search", "height": 400 }">
</div>
</html>
</panel>
</row>
</form>
You must have the Simple XML dashboard example App installed https://splunkbase.splunk.com/app/1603/
Hope this helps to get you started and change / modify / add any additional charts as needed 😉
cheers, MuS