Hi, my first question here so sorry if I use some stange terminology, I'll try and be as concise as I can!
To start from the beginnning:
I have a log which logs the Date, Time, Address, Name and Site of devices as they move around our sites.
Using Splunk, I can enter an address and it will search for that device in the logs. I've taught Splunk about my log file format so it correctly identifies the fields for username, address and Location. Cool!
Now I click on the Site field and I can select "Report on: top values by time" which gives me a neat chart with a timeline showing the Address and which sites it's been seen in over time. That's cool too, so I save the search and call it "Tracker" so I can use it later.
Now what would be really cool would be if I could create a (view? or app? I don't know what the correct term is) where my Helpdesk people can go to Splunk, enter an Address and see the chart generated for the Address of their choosing.
I've created the XML, I think it's installed as a view but it doesn't seem to work. The xxxx below is an address on our network.
<form>
<label>Tracker</label>
<fieldset>
<input type="text" token="address">
<label>Address</label>
<seed>xxxx</seed>
</input>
<input type="time" />
</fieldset>
<row>
<chart>
<title>Tracker Graph</title>
<searchTemplate>sourcetype="Summary" $address$ | timechart count by Site</searchTemplate>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text"></option>
<option name="charting.secondaryAxisTitle.text">Days Active</option>
<option name="charting.legend.placement">top</option>
<option name="height">300</option>
</chart>
</row>
</form>
In the views dropdown menu, I now get a "Tracker" option. When I click this link, I get a nice form with a text imput where I enter the address. It searches and a box appears saying "Tracker Graph refreshed: today at 14:56:52" and a link "View Results". There's no chart in it though - I can't figure out why. 😞
If I click the link to View Results then I get taken back to the Splunk>Search page showing that it did a search for
sourcetype="Summary" xxxx | timechart count by Site
and there is a table showing the results. If I click the "Show Report" link from here, I see the chart that I want!
I really can't work out why my chart doesn't appear in the view I created.
Does all that make sense? What am I doing wrong here?
... View more