版权归作者所有,转载请注明出处
Splunk基于交互式过滤的dashboard制作
关键步骤
新建Dashboard或使用已有Dashboard,为了省事,假设已有Dashboard和若干Panel
在Dashboard XML中新建全局过滤条件,以base-search为例,并写入全局过滤SPL语句
在Dashboard中新建时间组件,并在XML中把时间代码放至base_search中
删除除时间组件外的其它其它组件时间代码,因为时间设置已由base_search接管
删除panel中的时间代码,因为时间设置已由base_search接管
在每个panel中把<search>替换成<search base="base_search">
全局SPLbase_search中添加搜索变量
完成
实战
准备定义好的全局SPL语句,如base-search
index="callcenter" "*page*detail" OR "*phone edit*"
| rename message{} as message
| eval temp=split(mvindex(split(message,"->"),2),",")
| eval action=trim(mvindex(temp,0))
| eval action_target=mvindex(split(mvindex(temp,1),":"),1)
| eval user=mvindex(split(mvindex(temp,2),":"),1)
2. Dashboard页面,点击编辑-->点击数据来源进入xml编辑模式,添加base-search,该名字可任意修改,对应即可
<search id="base_search">
<query>index="callcenter" "*page*detail" OR "*phone edit*" | rename message{} as message|eval temp=split(mvindex(split(message,"->"),2),",")| eval action=mvindex(temp,0)| eval action_target=mvindex(split(mvindex(temp,1),":"),1)| eval user=mvindex(split(mvindex(temp,2),":"),1)</query></search>
从上面可知,只是在SPL语句上增加了search和query两个标签
添加XML的位置参考为:
<form>
<label>敏感信息监控-搜索版</label>
<search id="base_search">
<query>index="callcenter" "*page*detail" OR "*phone edit*" | rename message{} as message|evaltemp=split(mvindex(split(message,"->"),2),",")| eval action=mvindex(temp,0)| evalaction_target=mvindex(split(mvindex(temp,1),":"),1)| eval user=mvindex(split(mvindex(temp,2),":"),1)</query></search>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
</input>
</fieldset>
3. 新建时间组件,XML中的代码为:
<input type="time" token="time">
<label>筛选时间</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
抽取时间代码放到base_search中
<earliest>-60m@m</earliest>
<latest>now</latest>
<search id="base_search">
<query>index="callcenter" "*page*detail" OR "*phone edit*" | rename message{} as message | eval temp=split(mvindex(split(message,"->"),2),",")| eval action=mvindex(temp,0)| eval action_target = mvindex(split(mvindex(temp,1),":"),1)| eval user=mvindex(split(mvindex(temp,2),":"),1)</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
到此,时间筛选已由base_search接管
4. 根据需要新建下拉框,可新建一个变更后复制粘贴成多个,也可以在Dashoboard上陆续创建多个
下拉框的时间参数删除前代码如下:
<input type="dropdown" token="user">
<label>筛选用户</label>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>| stats count by user</query>
<earliest>-4h@m</earliest>
<latest>now</latest>
</search>
</input>
需要删除以上代码中的时间代码,如下:
<earliest>-4h@m</earliest>
<latest>now</latest>
5. 同样的方法删除所有panel中的时间代码
6. 配置panel的search标签
变更前为<search>
变更后为<search base="base_base">
定义了全局SPL后,panel语句无须全语句,只需要填写最后的语句即可
一般的panel SPL
index="callcenter" "*page*detail" OR "*phone edit*"
| replace *"transporter detail"* with "transporter detail",*"supplier detail"* with "supplier detail",*"order detail"* with "order detail",*"transporter phone edit"* with "transporter phone edit",*"supplier phone edit"* with "supplier phone edit"
| rename message{} as detail_edit
| timechart count by detail_edit
全局式的SPL
| timechart count by detail_edit
大为精简
7. 配置搜索变量
把准备好的变量添加到全局SPL base_search代码中,如下:
变量
| search user=$user$ action=$action$ action_target=$action_target$
全局SPL
<search id="base_search">
<query>index="callcenter" "*page*detail" OR "*phone edit*" | rename message{} as message|eval temp=split(mvindex(split(message,"->"),2),",")| eval action=trim(mvindex(temp,0))| eval action_target=mvindex(split(mvindex(temp,1),":"),1)| eval user=mvindex(split(mvindex(temp,2),":"),1)| search user=$user$ action="$action$" action_target=$action_target$</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
效果展示
面板属性查看
可见,可编辑项少了
