How to clone search’s dashboard in splunk
After few weeks trying to persuade my boss to buy Splunk, I start to put it in production. My first goal was to clone the search application’s dashboard using a dedicated index. Indeed, I have few splunks agent reading some tomcat’s logs and forward them to my splunk instance. All these logs are going to a dedicated index, named rtlnet. Our webdeveloppers want to use splunk to see the production’s logs. While it was easy to create the rtlnet index, I wanted to clone the search’s dashboard to give them an overview of logs by application, or by host. However, while it was easy to add index=rtlnet in the metadata search, I was not able to add the index in the search computed when you click on a result (for example the sourcetype).
Here the original code which produce one of the three panel:
<module name="SearchLinkLister"> <param name="settingToCreate">list1</param> <param name="search">| metadata type=sources</param> <param name="searchFieldsToDisplay"> <list> <param name="label">source</param> <param name="value">source</param> </list> <list> <param name="label">totalCount</param> <param name="labelFormat">number</param> </list> </param> <module name="ConvertToIntention"> <param name="settingToConvert">list1</param> <param name="intention"> <param name="name">addterm</param> <param name="arg"> <param name="source">$target$</param> </param> </param> <module name="ViewRedirector"> <param name="viewTarget">flashtimeline</param> <param name="uriParam.auto_pause">true</param> </module> </module> </module>
As I said, adding index=rtlnet in the metadata search is trivial. However, when a user click on a result (in that case on a source), the computed search was only source=$target so there was no result, since it the index is not specified. After spending few hours trying to understand how to add the index in the existing intention, I finally understood I need to nest it into a new HiddenIntention. Here the new module definition:
<module name="SearchLinkLister"> <param name="settingToCreate">list1</param> <param name="search">| metadata type=sources index=rtlnet </param> <param name="searchFieldsToDisplay"> <list> <param name="label">source</param> <param name="value">source</param> </list> <list> <param name="label">totalCount</param> <param name="labelFormat">number</param> </list> </param> <module name="HiddenIntention"> <param name="intention"> <param name="name">addterm</param> <param name="arg"> <param name="index">rtlnet</param> </param> </param> <module name="ConvertToIntention"> <param name="settingToConvert">list1</param> <param name="intention"> <param name="name">addterm</param> <param name="arg"> <param name="source">$target$</param> </param> </param> <module name="ViewRedirector"> <param name="viewTarget">flashtimeline</param> <param name="uriParam.auto_pause">true</param> </module> </module> </module> </module>
As you can notice, I embedded the existing ConvertToIntention module in a new HiddenIntention. Cheers!