Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a list input to a splunk Dashboard

pbsuju
Explorer
‎08-03-2017 09:18 PM

I have a dashboard for system uptime, where I can input single host as a input, but I want to display the dashboard for multiple host values. How to achieve it My dashboard is simple xml dashboard.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-03-2017 10:02 PM

@pbsuju, you need multiselect input, refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_tokens_for_multiselect_inputs

Following is a run anywhere dashboard snippet with Multiselect (based on Splunk's _internal index)

 <fieldset submitButton="false">
    <input type="multiselect" token="tokComponent">
      <label>Select Components</label>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level!="INFO"
| table component
| dedup component
| sort component</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> OR </delimiter>
      <valuePrefix>component="</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" $tokComponent$
| stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pbsuju
Explorer
‎08-21-2017 03:31 AM

Thanks for the response. I was able to create the dashboard with multi select inputs. But I have to always key in each host name as inputs. Is it possible to copy & paste a list of hosts in multi select box and then the dashboard take it as input?. Please advise

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-21-2017 04:41 AM

Ideally this should have been posted as a separate question. However, following is the answer for documenting:

How to copy paste values for multiselect input

Since this functionality is not built in to Multiselect input, you can either create your own Textarea with JavaScript. Or other alternative (as explained here) would be to use Text box to set the token for multiselect. (PS: Extra validation to ensure only comma-separated values are provided via Text Box can be coded using Javascript Regular Expression)
alt text

PS: I have used following as input for screenshot:

ExecProcessor,AdminManager,ApplicationUpdater,DispatchThread

Try the following run-anywhere search for the same:

  <fieldset submitButton="false">
    <input type="multiselect" token="selMult" searchWhenChanged="true">
      <label>Select Multiple Inputs</label>
      <valuePrefix>component="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by component
| sort component
| table component</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="selText" searchWhenChanged="true">
      <label>Override Multiselect Values (Copy Paste Comma Separated Text in Text Box)</label>
      <change>
        <condition match="len($value$)&gt;0">
          <eval token="selMult">split($value$,",")</eval>
          <eval token="form.selMult">split($value$,",")</eval>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" $selMult$ | timechart count by component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-21-2017 04:52 AM

@pbsuju, please try out an confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

niketn
Legend
‎08-29-2017 02:51 AM

@pbsuju, were you able to try this example of passing multiple values from Text Box to Multiselect input?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

pbsuju
Explorer
‎08-29-2017 04:13 AM

Great Help.. It worked. Thanks.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-29-2017 04:40 AM

Glad to know. Since you have already accepted the answer, please up vote the comments that have helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-03-2017 10:02 PM

@pbsuju, you need multiselect input, refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_tokens_for_multiselect_inputs

Following is a run anywhere dashboard snippet with Multiselect (based on Splunk's _internal index)

 <fieldset submitButton="false">
    <input type="multiselect" token="tokComponent">
      <label>Select Components</label>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level!="INFO"
| table component
| dedup component
| sort component</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> OR </delimiter>
      <valuePrefix>component="</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO" $tokComponent$
| stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...