Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk search interface for non-technical users?

yoyu777
Explorer
‎11-15-2017 09:24 AM

Hi,

This question may be a bit unusual. While I know SPL is already kind of "simple" enough to get a hang of for most technical users, but we are challenged to find a software/service that allows even the least technical users can comfortably create some filters and fire some searches, ideally it should also be able to integrated with Splunk.

"Pivot" does not fit the purpose as it is mainly a visualisation tool rather than search tool.

Has anyone come across things like this before?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2017 02:51 AM

Hi yoyu777,
we gave to users that don't know Splunk a simple interface for developers that need to see debugging logs during development.
We created in a lookup a search perimeter (host, source, and other fields) and we created some filters in the dashboard using the lookup fields so the user can filter logs.

In other words, users choose search parameters and using the perimeter lookup we create a search containing the main information: index, sourcetype, source, host.
In addition user has a free text input to add words to search.

As results, we display timestamp and a part of raw (first 200 chars) of a list of events; if the interesting event is larger that 200 chars, clicking on event, it's possible to display the full event in another panel of the dashboard.

Bye.
Giuseppe

Reply

yoyu777
Explorer
‎11-16-2017 03:00 AM

Thanks Giuseppe.

So just to validate my understanding, you created your own app, and did some customisation so non-technical users can create filters by clicking of mouse? Did you just the out-of-the-box interface, or did you use HTML and Javascript scripts, or SplunkJS?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2017 10:18 AM

No we have a lookup where there are all the information about the search perimeter:

  • perimeter
  • name
  • environment (Production or Qualification)
  • hostname
  • IP
  • Log Type (Application or System)
  • source
  • List item

Users in a dashboard can choose all the above parameters, in this way we can identify:

  • index
  • sourcetype
  • source
  • host

and show to the user all the events that match filters.
The only additional choice is a full text search input.

We did all with standard Splunk interface, without additional components.

The main job is to design the perimeter, but we usually already have it because target are development logs, so we can easily delimiter our perimeter.

Bye.
Giuseppe

0 Karma
Reply

worshamn
Contributor
‎11-15-2017 09:37 AM

What about trying the tables option from the Datasets Add-on (https://splunkbase.splunk.com/app/3245/)? This lets users work with an Excel-like interface and there is an option on the side to see the SPL it creates. Once you install the app and go to the "Datasets" tab, click on "Create New Table Dataset" to be walked through creating a table to work with.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...