Hi, I wonder whether someone may be able to help me please.
I've put together the following form.
<form>
<label>Simple select drop down</label>
<!-- define master search template, with replacement tokens delimited with $ -->
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
<fieldset>
<!-- Define a simple dropdown form driven by a search -->
<input type="time" token="timerange">
<label>Select the Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="author">
<label>Select series</label>
<search>
<query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|stats count by author</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>author</fieldForLabel>
<fieldForValue>author</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Splunk Searches Performed - Results for $author$</title>
<search base="global">
</search>
<option name="count">50</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
<search>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
</searchTemplate>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
Although the drop-down menus work and the searches return the desired results, the problem I have relates to the second panel in the dashboard.
When I select the values from the drop-down menus on the dashboard, the search from the first panel runs in the second, rather than the search I've coded into the XML.
I suspect it's because each search is within the same named "SearchTemplate", but I cannot be sure.
I just wondered whether someone may be able to look at this please and offer some guidance on how I can overcome this issue.
Many thanks and kind regards
Chris
Hi, thank you for looking at my post.
I actually found the solution here, so I moved the "Search Templates" between the tags.
So my final code was:
<form>
<label>Splunk User Activity Monitoring</label>
<!-- define master search template, with replacement tokens delimited with $ -->
<fieldset>
<!-- Define a simple dropdown form driven by a search -->
<input type="time" token="timerange">
<label>Select the Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="author">
<label>Select a User</label>
<search>
<query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring") |search title!="" |stats count by author</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>author</fieldForLabel>
<fieldForValue>author</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<table>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
<title>Splunk Searches Performed - Results for $author$</title>
<option name="count">50</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Searches Taking Longer Than 5 Minutes To Complete</title>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|where duration>=300
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})"
| rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|sort +author
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
Kind Regards
Chris
Hi, thank you for looking at my post.
I actually found the solution here, so I moved the "Search Templates" between the tags.
So my final code was:
<form>
<label>Splunk User Activity Monitoring</label>
<!-- define master search template, with replacement tokens delimited with $ -->
<fieldset>
<!-- Define a simple dropdown form driven by a search -->
<input type="time" token="timerange">
<label>Select the Time Range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="author">
<label>Select a User</label>
<search>
<query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$ |search NOT (author="splunk-system-user" OR author="monitoring") |search title!="" |stats count by author</query>
</search>
<choice value="*">Any</choice>
<fieldForLabel>author</fieldForLabel>
<fieldForValue>author</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<table>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
<title>Splunk Searches Performed - Results for $author$</title>
<option name="count">50</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Searches With The Query Time Range Greater Than or Equal To 90 Days</title>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Searches Taking Longer Than 5 Minutes To Complete</title>
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|where duration>=300
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})"
| rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|sort +author
|table author eai:acl.app title stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", stringSecs as "Query Runtime"</searchTemplate>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="drilldown">cell</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
Kind Regards
Chris
Hi IRHM73,
Try to remove
<search> </search>
and write only:
<searchTemplate>|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
|search author =$author$
|addtotals fieldname=duration *duration_secs
|convert rmunit(duration) as numSecs
|eval stringSecs=tostring(duration,"duration")
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\."
|eval stringSecs=myRest. "s " .ms. "ms"
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime)
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime)
|eval daterange= "From: ".earliestTime.", To: ".latestTime
|makemv delim=", " daterange
|sort +author
|table author eai:acl.app title daterange NoOfDays stringSecs
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"
</searchTemplate>
Hi, thank you for coming back to me with this. You must have been quick off the mark because I had deleted the question having found a solution which I'll post in the answer section.
Kind Regards
Chris