Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Checkbox to select specific apps and to show their indexes if selected in dashboard

Mohsin123
Path Finder
‎09-07-2017 09:14 PM

Hi,

I have already made a dashboard where a panel shows index usage in GB per index. I have to edit it in this way. Say, one application websphere has 3 indexes. I want to see all three of them at the same time if I select websphere, a checkbox according to applications. Say if I select websphere application, it shows me 3 indexes and their use.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎09-07-2017 10:25 PM

You can use SPLUNK REST command to pull App names and corresponding indexes (provided you have access to execute REST calls).

| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app, title

alt text

Following is an example which uses REST API call to populate App names in Dropdown and based on selection of App populated all App's Indexes as check boxes. Based on check boxes which are selected it gets the stats from selected index/es using tstats generating command.

PS: By default selected app is system and selected indexes are _audit and _internal. Search Panel is hidden based on depends attribute ontokIndex and time picker is added to stats panel as well.

<form>
  <label>REST app based indexes</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokApp" searchWhenChanged="true">
      <label>Select App</label>
      <fieldForLabel>eai:acl.app</fieldForLabel>
      <fieldForValue>eai:acl.app</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>system</default>
    </input>
    <input type="checkbox" token="tokIndex" searchWhenChanged="true">
      <label>Select Index/es</label>
      <fieldForLabel>title</fieldForLabel>
      <fieldForValue>title</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| search eai:acl.app="$tokApp$"
| table title</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> OR  </delimiter>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <default>_audit,_internal</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label>Select Time</label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table depends="$tokIndex$">
        <search>
          <query>| tstats prestats=t count where $tokIndex$ by sourcetype</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

PS: Refer to Splunk 6.x Dashboard Examples App from Splunkbase for more such examples on handling Splunk input values using Dynamic search options.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎09-07-2017 10:25 PM

You can use SPLUNK REST command to pull App names and corresponding indexes (provided you have access to execute REST calls).

| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app, title

alt text

Following is an example which uses REST API call to populate App names in Dropdown and based on selection of App populated all App's Indexes as check boxes. Based on check boxes which are selected it gets the stats from selected index/es using tstats generating command.

PS: By default selected app is system and selected indexes are _audit and _internal. Search Panel is hidden based on depends attribute ontokIndex and time picker is added to stats panel as well.

<form>
  <label>REST app based indexes</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokApp" searchWhenChanged="true">
      <label>Select App</label>
      <fieldForLabel>eai:acl.app</fieldForLabel>
      <fieldForValue>eai:acl.app</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| dedup eai:acl.app
| table eai:acl.app</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>system</default>
    </input>
    <input type="checkbox" token="tokIndex" searchWhenChanged="true">
      <label>Select Index/es</label>
      <fieldForLabel>title</fieldForLabel>
      <fieldForValue>title</fieldForValue>
      <search>
        <query>| rest /services/data/indexes
| search eai:acl.app="$tokApp$"
| table title</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> OR  </delimiter>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <default>_audit,_internal</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label>Select Time</label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>
      <table depends="$tokIndex$">
        <search>
          <query>| tstats prestats=t count where $tokIndex$ by sourcetype</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

PS: Refer to Splunk 6.x Dashboard Examples App from Splunkbase for more such examples on handling Splunk input values using Dynamic search options.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-08-2017 05:15 AM

I am adding this search to the search string.. Why I am not getting any result?
|eventcount summarize=false report_size=true index=* index=_*|search index=$tokIndex$|stats sum(size_bytes) As size_bytes by index|Eval size_bytes_GB=size_bytes/1024/1024/1024|table index size_bytes_GB|sort - size_bytes_GB

0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-08-2017 05:16 AM

Error here is error in search command unable to parse the search comparator = has an invalid term on the lhs

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎09-08-2017 07:55 AM

you might have to paste your code using Code button (101010) so that special characters do not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-08-2017 04:50 AM

Thankyou so much Niket. But I get an issue. Data populates for system app. But if I select any other app, it says an error :error in tsidxStats:where clause is not an exact query. Also select index checkbox is disabled

0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎09-08-2017 05:05 AM

Oh wow.. I just copy pasted ur code and it worked.. Thanks buddy

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎09-08-2017 05:39 AM

Anytime 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...