Solved: Multi text input for search with a date, source, a...

reneedeleon · ‎03-09-2020

I am currently working on a dashboard that will simplify the search for some of our office personnel who are not Splunk savvy. I am creating a dashboard that has three drop down and six text inputs in order to ensure they are getting the specific results they are looking for, however I am not sure if the code is working and why the submit button are not working. I am very new to XML and any help would be appreciated.

my code:

Splunk made simple

<input type="time" token="token_time">
  <label>Date and Time</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="dropdown" token="source_token">
  <label>Select Source</label>
  <choice value="calories-3514">choclates</choice>
  <choice value="calories-1445">veggies</choice>
  <choice value="calories-4461">cakes</choice>
  <choice value="calories-5447">pies</choice>
</input>
<input type="dropdown" token="food_token">
  <label>Food</label>
  <choice value="*">All</choice>
  <fieldForLabel>Food</fieldForLabel>
  <fieldForValue>food_name</fieldForValue>
  <search>
    <query>index=goodies source=$source_token$
            | stats count by food_name</query>
    <earliest>@d</earliest>
    <latest>now</latest>
  </search>
</input>
<input type="text" token="user_tok">
  <label>Who</label>
  <default>$user_tok$</default>
</input>
<input type="text" token="uid_tok">
  <label>Trainer</label>
  <default>$uid_tok$</default>
</input>
<input type="text" token="src_tok">
  <label>First meal</label>
  <default>$src_tok$</default>
</input>
<input type="text" token="dst_tok">
  <label>Second Meal</label>
  <default>$dst_tok$</default>
</input>
<input type="text" token="junkfood_tok">
  <label>third meal</label>
  <default>$junkfood_tok$</default>
</input>
<input type="text" token="snack_tok">
  <label>Snack</label>
  <default>$snack_tok$</default>
</input>


<panel>
  <title>Panel 1</title>
  <table>
    <search>
      <query>index=goodies   source=$token_time$

| fillnull value=NULL food_name, user, uid, src, dst, junkfood, snack
| table food_name, user, uid, src, dst, junkfood, snack
|
$time_token.earliest$
$time_token.latest$

10
none
none
true

gcusello · ‎03-09-2020

Hi @reneedeleon,
probably in all your events there aren't all the fields you configured in dropdows and text inputs, in addition, you have to manage all the default inputs that your users don't use.
My hint is to create inputs for the fields that are present in 100% of events and give a text input without field to use for the full text search teaching the users to use the search operators (AND, OR, NOT parenthesis, etc...) as they usually do on Google search.

Ciao.
Giuseppe

View solution in original post

gcusello · ‎03-09-2020

Hi @reneedeleon,
probably in all your events there aren't all the fields you configured in dropdows and text inputs, in addition, you have to manage all the default inputs that your users don't use.
My hint is to create inputs for the fields that are present in 100% of events and give a text input without field to use for the full text search teaching the users to use the search operators (AND, OR, NOT parenthesis, etc...) as they usually do on Google search.

Ciao.
Giuseppe

reneedeleon · ‎03-10-2020

Thank you @gcusello,

The dropdowns are there 100% of the time, it's the text fields that are the issue. I Have tried to get the analysts to learn how to use Splunk but this is going to be the only way they can do it. Let me tweak the xml a little more.

Multi text input for search with a date, source, and location dropdowns

drilldown

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms