Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help with a dropdown...

balleste
Engager
‎11-09-2016 01:30 AM

I have the following Splunk query:

sourcetype=api "analyzed email count" mailserver-01 | stats sum(mail_value) AS "Total".

mailserver-01 is a field in Splunk that defines the mail server. I have 10 mailservers and wanted to make an dropdown list where users can select the mailserver and the dash will auto refresh.

Tags (1)
0 Karma
Reply

lakromani
Builder
‎11-09-2016 12:22 PM

Here is a dynamic way to do it. This will count up mail servers and add them to the drop down box. If you 2 server it will show those two, if you have 100, it shows 100 servers.

<input type="time" token="global_time" searchWhenChanged="true">
  <label>Time frame</label>
  <default>Last 24 hours</default>
</input>
<input type="dropdown" token="Mailserver" searchWhenChanged="true">
  <label>Mailserver</label>
  <search>
    <query>sourcetype=api "analyzed email count" 
      | rex "xxx (?<server>\S+)"              # Here you need to make a rex to extract name of your mail server 
      | top limit=0 server
    <earliest>$global_time.earliest$</earliest>
    <latest>$global_time.latest$</latest>
  </search>
  <choice value="*">Any</choice>
  <fieldForLabel>server</fieldForLabel>
  <fieldForValue>server</fieldForValue>
  <default>*</default>
</input>

Then in you panel you add the following search:

sourcetype=api "analyzed email count" $Mailserver$ | stats sum(mail_value) AS "Total"

If you post some lines that show how mail server looks like, I can make the regex to extract it for you.

0 Karma
Reply

niketn
Legend
‎11-09-2016 04:03 AM

Edit Dashboard > Click Add Input > Choose Dropdown

Edit Dropdown by clicking on Edit input icon against field1.
1) Rename Label as Select Mail Server.
2) Check Search on Change option.
3) Select Token = selMailServer
4) Scroll to Static Options and add the following Name - Values :
Name= 01 -- Value=mailserver-01
02 -- mailserver-02
...
10 -- mailserver-10
4) Scroll back to Default field an choose 01 as the default field value.

PS: You can define lookup tables for more dynamic list and values and use Dynamic Options to populate Name/Value through Splunk Search String.

Following is the Simple XML Source Code for the same (Notice root node changes from dashboard to form the moment we add any form inputs.

<fieldset>
  <input type="dropdown" token="selMailServer" searchWhenChanged="true">
    <label>Select Mail Server</label>
    <choice value="mailserver-01">01</choice>
    <choice value="mailserver-02">02</choice>
    <choice value="mailserver-03">03</choice>
    <choice value="mailserver-04">04</choice>
    <choice value="mailserver-05">05</choice>
    <choice value="mailserver-06">06</choice>
    <choice value="mailserver-07">07</choice>
    <choice value="mailserver-08">08</choice>
    <choice value="mailserver-09">09</choice>
    <choice value="mailserver-10">10</choice>
    <default>mailserver-01</default>
  </input>
</fieldset>

5) Finally, in your search you can replace mailserver-01 with $selMailServer$

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

balleste
Engager
‎11-09-2016 11:02 AM

Thank you...I've done this...however, is there a better way to not have to statically do this for every mail server? Say Splunk starts indexing logs for mailserver-11...is there a way to dynamically add it?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎11-09-2016 12:03 PM

How frequently the data comes on Splunk for a mail server? Do all mail server logs comes all the times?

0 Karma
Reply

niketn
Legend
‎11-09-2016 11:51 AM

Yes there are two ways. If you have a Splunk Search which can pull Server Names you can populate through Dynamic Option within dropdown.

Alternatively you can load a spreadsheet in Splunk as Lookup table with Mail Server names and then use inputlookup search to populate via Dynamic Options in Dropdown. Spreadsheet can be manually updated each time mail server is added and also vis Splunk search.

One other way would be Key Value (KV) Store as well. I have not worked with that though.

Let me know if it addresses your problem, or if you need more details.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...