Splunk Search

How to create a single dashboard that will change the search for each panel based on a dropdown input option?

jxt950
Engager

I have created 3 dashboards which displays performance metrics and client usage of the api. All 3 dashboards have the same set of panels and all the searches used in panel are the same except that the api name is different.
So I am trying to find out if there is a way to have a single dashboard and change only the api name in the search for each panel using a dropdown input.

for example :
api1
api2
api3

index=* SERVICE=  ..

So the dashboard will refresh and get results of each api every time I submit or select the different api.

Please help by redirecting me to any example or steps to create the above dashboard.

Thank you

0 Karma
1 Solution

jxt950
Engager

Thank you for the response @adonio & @JDukeSplunk. I was able to get the desired results by doing some trial and error.

First I searched for app names of the APIs using the query index=(index_name) (service*) | dedup Service | table Service.
After I got the app name for all 3 APIs

Second
In my dashboard test input dropdown option I did the following.

I set the token name as api_name. In all dashboard panel's query I made it index=(index_name) $api_name$ ...."

In static option of drop down I set
Name : values of 3 APIs
ex: {api-name}: {api-name-app}

And In Dynamic options
I put the query mentioned above in search string. Set the time for 60 minutes.
kept Field name and value as Service

It works as I expected. The panels refresh and publish the selected APIs metrics when selected from the dropdown.

View solution in original post

0 Karma

jxt950
Engager

Thank you for the response @adonio & @JDukeSplunk. I was able to get the desired results by doing some trial and error.

First I searched for app names of the APIs using the query index=(index_name) (service*) | dedup Service | table Service.
After I got the app name for all 3 APIs

Second
In my dashboard test input dropdown option I did the following.

I set the token name as api_name. In all dashboard panel's query I made it index=(index_name) $api_name$ ...."

In static option of drop down I set
Name : values of 3 APIs
ex: {api-name}: {api-name-app}

And In Dynamic options
I put the query mentioned above in search string. Set the time for 60 minutes.
kept Field name and value as Service

It works as I expected. The panels refresh and publish the selected APIs metrics when selected from the dropdown.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@jxt950 - Did your answer provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". Thanks!

0 Karma

JDukeSplunk
Builder

Ill post some sample code from a dashboard does this.

Here are the "filters" at the top. You can either add static entries to these, or use searched to populate them.

alt text

Now some code for what they look like

This is the code for the "Host Groups" token. It auto-populates based on a search. This then fills the $hostgroup$ token in any of the search panels in the dashboard.

  <input type="multiselect" searchWhenChanged="false" token="hostgroup">
      <label>Host Groups</label>
      <search>
        <query>index=application  sourcetype="apollo:prod:pegarules" |eval  host=upper(host) |top host limit=100 showcount=false showperc=false |sort + host</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <choice value="ttapp* OR host=amusttnup80*">All</choice>
      <choice value="TTAPPPEGAAG*">Agent Servers</choice>
      <choice value="TTAPPPEGAWEB*">Web Servers</choice>
      <choice value="TTAPPPEGACC*">Call Center Servers</choice>
      <choice value="amusttnup80003 OR host=amusttnup80004">NextGen Call Center</choice>
      <choice value="TTAPPPEGAAPP* OR host=TTAPPPEGAWEB*">Portal (Web and App)</choice>
      <choice value="amusttnup80005 OR host=amusttnup80006 OR host=amusttnup8007 OR host=amusttnup80007 OR host=amusttnup80008">NextGen Portal</choice>
      <choice value="TTAPPPEGAAPP*">APP Servers</choice>
      <choice value="TTAPPPEGAADM*">Admin Servers</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <delimiter> OR </delimiter>
      <valuePrefix>host=</valuePrefix>
      <default>TTAPPPEGACC*</default>
      <initialValue>TTAPPPEGACC*</initialValue>
    </input>

Sample search.

<panel>
      <title>Pega Exceptions</title>
      <chart>
        <search>
          <query>index=application $hostgroup$ $keyword$ (sourcetype=apollo:prod:pegarules) (pegarules_loglevel=ERROR OR pegarules_loglevel=SEVERE OR pegarules_loglevel=FATAL)|fields  _raw,pegarules_loglevel  |rex max_match=1 field=_raw "\.(?<type>[^\.\:]\w+(Exception|Error))(\:|\s|\;)" |search $pegaexcp$ |eval hours=strftime(_time, "%H") |where $exclude$  |timechart $timechart$ limit=30 usenull=f useother=f count by type</query>
          <earliest>$timespan.earliest$</earliest>
          <latest>$timespan.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">bottom</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="height">600</option>
      </chart>
    </panel>

adonio
Ultra Champion

hi jxt950,
you can create a form input and a token for your api, than pick the api you want and the dashboard will populate
some nice examples here: https://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Buildandeditforms

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...