Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Form vs. View for Multiple Result Sets

Eldad
Explorer
‎10-25-2010 12:01 PM

Hi,

My event data consists of HTTP requests. My goal is to build a view that includes: 1) A drop down to choose a Host header value 2) A line chart for the selected Host header related events that displays the number of unique requests for each source IP each day 3) Another chart that displays another flavor of the data

When trying to do this with a search form I hit a wall when trying to take the form search results and get something else out of them. The basic search results are the requests associated with a certain Host header value and I was trying to create a chart for the number of unique page hist by IP. I did this by adding a chart where charting.data.search="timechart span=1d count(url) by source_ip". This did not work and the chart was not displayed correctly, making me think that this is not the way i was supposed to use charting.data.search.

So the question is what is the best way to build such a screen (form or view) and how do i achieve that (did not find the documentation taking me through this).

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-27-2010 02:35 AM

1) there is significant documentation at splunk.com - eg: http://www.splunk.com/base/Documentation/latest/Developer/FormIntro

Quite possibly you've just been looking in the wrong place? eg: setting the property charting.data.search is a very advanced thing to do additional filtering and is not at all how you set the main search.

2) or if you'd rather tinker with living breathing examples you can pull down the UI Exampels app and learn in a more hands on fashion. It sounds like this might be the way to go for you (since you somehow went straight to the advanced charting documentation)

To do this:
go to the "Launcher" app,
within Launcher, go to "Browse more apps",
then scroll down until you get to "UI Examples for 4.1".
Install that app and once it's installed go to it and start reading through the examples. You'll find a number of examples talking about building different kinds of views in both the simplified XML (ie <form> and <dashboard>) as well as the advanced XML (ie <view>)

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-27-2010 02:35 AM

1) there is significant documentation at splunk.com - eg: http://www.splunk.com/base/Documentation/latest/Developer/FormIntro

Quite possibly you've just been looking in the wrong place? eg: setting the property charting.data.search is a very advanced thing to do additional filtering and is not at all how you set the main search.

2) or if you'd rather tinker with living breathing examples you can pull down the UI Exampels app and learn in a more hands on fashion. It sounds like this might be the way to go for you (since you somehow went straight to the advanced charting documentation)

To do this:
go to the "Launcher" app,
within Launcher, go to "Browse more apps",
then scroll down until you get to "UI Examples for 4.1".
Install that app and once it's installed go to it and start reading through the examples. You'll find a number of examples talking about building different kinds of views in both the simplified XML (ie <form> and <dashboard>) as well as the advanced XML (ie <view>)

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...