Creating my first dashboard and adding interactivity: The magic of text boxes in Splunk 6.1* in Simple XML
Recently, I had the opportunity to work on the Web Analytics portion of an internal app development project. As a newb, I was eager to jump in, get started, enjoy the adventures and misadventures of Splunking, and put to use my newly developed Splunk skills obtained from weeks of training. I mean how could I fail? I had the right people, processes, and technologies supporting me to jump in and start the Splunk magic.
Moving forward, I jumped into action by reading tons of documentation, asking the typical newb questions and making the typical newb mistakes until somehow the first round of dashboards were born. They were beautiful, colorful, and functional…. the greatest things in life are beautiful, colorful, and functional. I saw beautiful maps, pie charts, tables, and graphs. Adding to the Splunk centered euphoria was the fact that that data being reported via the dashboards was amazing. I’m no web analytics guru, but in what world does a website have 6% as a bounce rate, 100% returners, and 100% success http status for all webpages? I was euphoric in the land of Splunktopia until... a big wave came and washed me back to reality. This happened when I decided to test my beautiful masterpiece on a different set of access logs, from a different organization, located in a different environment that was providing different products/services.
This set of access logs was different as they contained web activity from an actual company with actual traffic, images, visitors, custom apache configurations, and other assets and components as opposed to the access logs from the imaginary organization that I used in my initial dashboard development. Anyway, I went in and made some changes and reran the searches. I had two problems right away. First, an automatic field created in my initial access log wasn’t created in my second access log rending two of the panels non-functional. In addition, two of the panels returned an extremely extensive list of pages making it annoying to find the exit rate for a particular page. After allowing the frustration to settle in and biting off all of my fingers nails, I sought out help. I knew tokens were the answer and I remember learning about them relative to Splunk’s web framework, but could they work for me in simple xml? Then it came to me, from some magical wise Splunktonian through a post in Splunk’s knowledge base (as seen on the top of this article). I can use forms (more specifically text boxes) to save my ailing panels.
Yes, in modern English, in 6.1 and beyond you are able to insert text boxes into simple xml dashboards, directly from Splunk’s web interface making the dashboards more interactive and more powerful. This feature helped me tremendously as I can now allow users to insert a main URL via textbox instead of creating a search that relies on a field that isn’t always created when access logs are indexed. In addition, via textbox, users can filter the results of a particular webpage without the hassle of searching through pages and pages of tabular search results.
To take advantage of the textbox for Simple XML: From your dashboard, select edit panels--> add input -->text. After you’ve selected text, the following stanza is applied to your XML code: <input type="text" token="field4"/>. You can view the code by selecting Edit Source.
You have the option of adding additional lines such as:
searchWhenChanges= “True” <!--Automatically updates the search upon text entry-->
<label></label> <!-- Title that goes above the textbox -->
<prefix></prefix> <!--Allows you to define a default prefix for user text entry-->
<suffix></suffix> <!--Allows you to define a default suffix for user text entry-->
<default></default> <!--Allows you to define a default text value-->
Here’s an example from my dashboard:
<input type="text" token="first_referer_domain" searchWhenChanged="true">
<!--This allows users to enter main domain -->
<label>Select main domain:</label>
Activating your Textbox:
Once you’ve defined your textbox parameters, you need to apply tokens around the appropriate fields in your search string: <searchString>user=$user$</searchString>
Here’s an example from my dashboard:
As you see below, $first_referer_domain$ will receive the users input:
<searchString>sourcetype=access_* | transaction clientip maxpause=15m keepevicted=t mvlist=t | table referer_domain, uri_path | eval first_uri_path = mvindex(uri_path, 0) |eval first_referer_domain = mvindex(referer_domain, 0) | eval Third_Party_Ref=case(first_referer_domain!=$first_referer_domain$,"Third Party Referrals")|eval First_Party_Ref=case(first_referer_domain=$first_referer_domain$, "Self-Referrals")| stats count(first_uri_path) AS "Total Page Entries", count(First_Party_Ref) AS "Self-Referrals", count(Third_Party_Ref) AS "Third Party Referrals" by first_uri_path</searchString>
Snapshot of the interactive magic of Splunk 6.1* via text box:
Finally, select save and voila experience the magic.
Happy Splunking my fellow Splunktonians!