Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dropdown creation and configuration for a dashbaord

shabdadev
Engager
‎02-23-2017 01:15 AM

Hi,

I wrote one simple query

index=nmon host=* type=DISKXFER | timechart avg(value) by host

and created a dashbaord with time filter option also.

Now i want to add a dropdown ,but no where i am finding explanation for the fields represented in dropdown edit section and also i am not sure how to connect the drop down with the dashboard panel so that once time range and drop down value is selected ,.....data should populate in the dashboard .

I want to implement this logic with multiple panels ..so that once i select a set of server suppose "search server" from drop down..it should populate the values for those servers.

Tags (1)
0 Karma
Reply

niketn
Legend
‎03-06-2017 12:32 PM

Here is an example based off Splunk's internal index.
It created Dropdown for Sourcetypes to be used across dashboard. It also has a Time control to allow specifying earliest and latest time for dropdown and the panels. I have added Time Control the example just to show that timerange for a Dynamic Query in dropdown can be specified only in the inline search using command like thisearliest=$tok_time.earliest$ latest=$tok_time.latest$

<form>
  <label>Splunk Answers 505259</label>
  <fieldset submitButton="false">
    <input type="time" token="tok_time" searchWhenChanged="true">
      <label>Global Time Selector</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok_sourcertype" searchWhenChanged="true">
      <label>Select Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
      <initialValue>*</initialValue>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal sourcetype=*
earliest=$tok_time.earliest$ latest=$tok_time.latest$
| dedup sourcetype
| sort sourcetype
| table sourcetype</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1</title>
      <chart>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>index=_internal $tok_sourcertype$
| stats count by log_level</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Besides basic form input elements you should also consider reading
Input Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference
and also Token Usage in Dashboards which also covers Search Event Handlers: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

Ideally, the scenario for example used here is suitable for post processing as same stats query is used in two places. So the underlying query to pull stats will run only once. However, post processing should be applied as per use case as it has its limitations and guidelines as well. (http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎03-10-2017 11:43 PM

@shabdadev were you able to try out the example? Is your issue resolved?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

adonio
Ultra Champion
‎03-06-2017 06:39 AM

Hi shabdadev,
This doc can get you started: http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Buildandeditforms
It has good code examples. Also, teh dashboard examples app is very useful, you can download it here:
https://splunkbase.splunk.com/app/1603/
Hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...