- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- make indexer easy accessable
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make indexer easy accessable
Hi,
people often don't like it to use "index=...". I've tried to make logs easy accessable for them by using macros instead.
For example firewall-logs.
But now people wan't to have a more easier way, without ``. Is there a way to just use a single word for choosing an index in the background? For example just the word "firewall" ?
With tags and eventtypes it is the same. You have to use "tag=...".
Thank you in advance
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create you own flashtimeline and include the indexes as a dropdown...
This would allow to have a free text box for the search string, and then have a dropdown that includes a list of indexes that users can search on.
Perhaps a bit "radical" but hey-ho...
Good starting points:
http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/AdvancedSearch
http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/AdvancedSearch
Just an idea, but hope it helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, there is no easier way. I would argue that the `` are pretty easy anyway. Any word entered without these characters would just be interpreted as a search term or command.
Oh, there is the other option of adding it to the indexes their role search by default? It depends on the use case and their roles really. But it is another option if they really are concerned about typing in an additional 2 characters 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
err, possibly. This would be moving from the realms of Splunk and more into JavaScript and populating text fields with values based on click events. I still think its a matter of user education. The most common searches and investigations should be in savedsearches or dashboards. You could build custom forms for specific indexes where the index is hidden in the background and users just enter their search terms. You could even add a drop down to the left to select an index first if you really just wanted the one screen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
create a button which adds for a existing search a kind of suffix.
normal search : index= abc
click to button : index = abc OR index = cde
all stuff after index = abc comes from the button.
possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a button to search against an index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you! is it possible to create a new button next to the "save" and "create" button which solves this problem? should be not a problem, or?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
