Discarding the ‘all’ option manually is not only annoying, it can be confusing for users since they could expect an automatic discarding in such cases and therefore could even misinterpret the data. Let’s have a look at the results after discarding ‘all’: To achieve the desired result, the user has to manually discard the ‘all’ selection. Let’s have a look at the resulting search query for the table:Īs you can see, ‘sourcetype=”*”’ is still part of the search query and therefore all sourcetypes are still returned as a result set. What is the reason for this output? Well, besides the chosen individual sourcetypes, the option ‘all’ is still selected in the multiselect. Hmm… the table still lists information about all sourcetypes. So, the user selects these two items within the multiselect but does not remove the ‘all’ option. In our scenario, the user has opened the dashboard and is only interested in information about the sourcetypes ‘scheduler’ and ‘splunk_web_access’. Search query for the table when ‘all’ is selected: Per default, when the dashboard is opened, the table should show information about all sourcetypes (this is represented within the search as ‘sourcetype=”*”’). Name the dashboard and assign the ID as follows:īelow table in the dashboard shows information based on the chosen sourcetypes given by the users’ multiselect input.
#SPLUNK INPUTS.CONF XML CODE#
You can find the code in my GitHub repository here: įor a better understanding, please feel free to copy and paste it to your Splunk instance. We then implement two different solutions to fix that problem: one in JavaScript, and one within the dashboard’s simple XML. Let’s first have a look at the following simple run-everywhere-dashboard to further describe the problem. This can become confusing for users because the data is not filtered as expected and even worse, could result in a misinterpretation of the data. Unfortunately, this ‘all’-option is not discarded automatically when the user selects another more specific option, so still ‘all’ is applied until manually discarded. It is common to provide an ‘all’-item, so it is not necessary to select all available items, whenever a user is interested in all given options. Multiselects on Splunk dashboards allow users to select multiple options to filter data. For JavaScript we reuse work already submitted on and modify it a little to fit our needs as well as we introduce an alternative by using simple XML. When you pass the multiselects’ token value on drilldown to another multiselect-input of another dashboard, the token is not passed properly (see chapter 1 for a more precise problem description).įor both struggles a solution in JavaScript and simple xml is provided.Vice versa, when you add ‘all’ to previously selected options, these previous options are not automatically discarded (see chapter 1 for a more precise problem description). This option is not discarded automatically when you select another more specific option, so still ‘all’ is applied until manually discarded. You have set up a multiselect and added an option to select ‘all’ (usually represented by the wildcard-character ‘*’).Is this the proper method and if so, am I doing something wrong in my props.This article is meant to describe two struggles you might experience with multiselects and how you can handle them:
Here is the entire contents of my nf file: etc/system/local because there wasn't a nf file there.
Let me first preface this by saying that I am a total Splunk newbie and this is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to get my XML log to parse properly.įirst: What I did was create a new file called nf in my splunk directory under.
0 kommentar(er)
