Imagine that we are sending data that has the following fields in every event
time, userid, thread ...
Would like to create a forms where the on call engineer can
To finally arrive at a small subset of logs that he/she should inspect. Is this doable? Could you point me to a sample?
That's doable.
In short, this could be an approach:
Depending on your data, it's probably smart to have commonly used fields filled from prepared lookups to speed things up.
I had something a little different in mind - one Advanced XML view with a tree of pulldowns. A bit like the SideviewUtils doc on "Pulldown - reusing searches with 'postProcess'", available under Key Techniques if you have Sideview Utils v2 (get it from http://sideviewapps.com/apps/sideview-utils/ - you really should!).
Thanks.
In the second form- as soon as the user has picked a userid (prepopulated by query) how does one transition to the next form WITHOUT showing the results to the user and having him click on that as documented here http://docs.splunk.com/Documentation/Splunk/5.0.3/Viz/Dynamicdrilldownindashboardsandforms#Dynamic_d...