- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Dashboard - Add prefix to all searches in panels
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I was wondering if it's possible to automatically insert a prefix to the searches in a dashboard or form? I'd like to duplicate an existing "global" dashboard but insert a prefix like sourcetype="syslog" AND host="REGIONCODE*" before each search that's carried out in the view. This would be for a regional team who only need to see hosts with a a certain name prefix.
I've scoured the docs and there are hints of this being possible, however I'm using simplified XML forms (with timepickers) for my views at the moment.
If anyone has any working examples or pointers, I'd really appreciate it! 🙂
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to do this would be to create a role for that particular team. Go to Manager » Access controls » Roles
When you create the role, add
sourcetype="syslog" AND host="REGIONCODE*"
to the Restrict search terms field.
This will prefix the sourcetype and host to all searches run by people who are assigned this role. So it will apply to all dashboards, etc. I think this is a better solution, as it means that you don't have two copies of the same dashboard.
But if you want to look at other solutions, you might consider downloading the app Splunk UI Examples for 4.1+ and seeing how they do post-processing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to do this would be to create a role for that particular team. Go to Manager » Access controls » Roles
When you create the role, add
sourcetype="syslog" AND host="REGIONCODE*"
to the Restrict search terms field.
This will prefix the sourcetype and host to all searches run by people who are assigned this role. So it will apply to all dashboards, etc. I think this is a better solution, as it means that you don't have two copies of the same dashboard.
But if you want to look at other solutions, you might consider downloading the app Splunk UI Examples for 4.1+ and seeing how they do post-processing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brilliant, that's just what I was looking for, thanks very much!
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
