如何将输入参数数据发送到Splunk中的仪表板上的报告
我正在使用Splunk创建仪表板。我向仪表板添加了一个报告,该报告将搜索中的所有数据返回到表中。我想添加一些输入字段,以便用户选择过滤报表的数据。第一个输入是文本框字段。默认值和初始值用*设置。我希望什么都重要。 这是从仪表板创建的xml:
<form>
<label>Thru Train Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="purchCostReferenceToken" searchWhenChanged="true">
<label>TMS Reference Number</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Thru Train XML DATA</title>
<table>
<search ref="ThruTrainReportNestedResults"></search>
<option name="drilldown">row</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>
我知道我必须使用令牌值 purchCostReferenceToken 作为报告 ThruTrainReportNestedResults 的输入。但由于报告搜索没有输入参数,因此不知道该怎么做。
这是创建报告 ThruTrainReportNestedResults
的搜索查询。 sourcetype... | xmlkv | rex max_match=0 "\<purchasedCostTripSegment\>(?P<segment>[^\<]+)" |eval Segments = mvrange(1,mvcount(mvindex(segment, 0, 2))+1,1) | rex max_match=0 "\<carrier\>(?P<Carriers>[^\<]+)" | rex max_match=0 "\<billingMethod\>(?P<BillingMethod>[^\<]+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<origin>\s*<ns2:numberCode>(?P<Origin>\d+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<destination>\s*<ns2:numberCode>(?P<Destination>\d+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<stopOff>\s*<ns2:stopOffLocation>\s*<ns2:numberCode>(?P<StopOffLocation>\d+)" | eval Time =_time | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time) | table purchCostReference, eventType, Time, Segments, Carriers, BillingMethod, Origin, Destination, StopOffLocation | sort Time
是否有一种方法可以使用输入数据从仪表板中过滤此查询的结果?我要过滤的输入数据是purchCostReference,eventType和Segments
更新 我删除了对该报告的引用,并添加了创建该报告的搜索字符串,但遇到错误标记名称中的无效字符。搜索字符串很长...
<row>
<panel>
<title>Thru Train XML DATA</title>
<table>
<search base="baseSearch">
<query>
index... sourcetype="..." "<billingMethod>RULE</billingMethod>" "createMessage MsgSource" | xmlkv | rex max_match=0 "\<purchasedCostTripSegment\>(?P<segment>[^\<]+)" |eval Segments = mvrange(1,mvcount(mvindex(segment, 0, 2))+1,1) | rex max_match=0 "\<carrier\>(?P<Carriers>[^\<]+)" | rex max_match=0 "\<billingMethod\>(?P<BillingMethod>[^\<]+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<origin>\s*<ns2:numberCode>(?P<Origin>\d+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<destination>\s*<ns2:numberCode>(?P<Destination>\d+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<stopOff>\s*<ns2:stopOffLocation>\s*<ns2:numberCode>(?P<StopOffLocation>\d+)" | eval Time =_time | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time) | table purchCostReference, eventType, Time, Segments, Carriers, BillingMethod, Origin, Destination, StopOffLocation | sort Time
</query>
</search>
<option name="drilldown">row</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
更新我对搜索查询进行了编码,并按照前面的注释中的说明,在标记之间添加了带有标记元素的查询。我没有收到错误,但也没有任何结果。只是一张空桌子...
<query> ...sourcetype%....%22%20%22%3CbillingMethod%3ERULE%3C%2FbillingMethod%3E%22%20%22createMessage%20MsgSource%22%20%7C%20xmlkv%20%7C%20rex%20max_match%3D0%20%22%5C%3CpurchasedCostTripSegment%5C%3E%28%3FP%3Csegment%3E%5B%5E%5C%3C%5D%2B%29%22%20%7Ceval%20Segments%20%3D%20%20mvrange%281%2Cmvcount%28mvindex%28segment%2C%200%2C%202%29%29%2B1%2C1%29%20%7C%20rex%20max_match%3D0%20%22%5C%3Ccarrier%5C%3E%28%3FP%3CCarriers%3E%5B%5E%5C%3C%5D%2B%29%22%20%7C%20rex%20max_match%3D0%20%22%5C%3CbillingMethod%5C%3E%28%3FP%3CBillingMethod%3E%5B%5E%5C%3C%5D%2B%29%22%20%7C%20rex%20max_match%3D0%20%22%3CpurchasedCostTripSegment%3E%5B%5Cs%5CS%5D%2A%3F%3Corigin%3E%5Cs%2A%3Cns2%3AnumberCode%3E%28%3FP%3COrigin%3E%5Cd%2B%29%22%20%20%7C%20rex%20max_match%3D0%20%22%3CpurchasedCostTripSegment%3E%5B%5Cs%5CS%5D%2A%3F%3Cdestination%3E%5Cs%2A%3Cns2%3AnumberCode%3E%28%3FP%3CDestination%3E%5Cd%2B%29%22%20%7C%20rex%20max_match%3D0%20%22%3CpurchasedCostTripSegment%3E%5B%5Cs%5CS%5D%2A%3F%3CstopOff%3E%5Cs%2A%3Cns2%3AstopOffLocation%3E%5Cs%2A%3Cns2%3AnumberCode%3E%28%3FP%3CStopOffLocation%3E%5Cd%2B%29%22%20%7C%20eval%20Time%20%3D_time%20%7C%20convert%20timeformat%3D%22%25m-%25d-%25Y%20%25H%3A%25M%3A%25S%22%20ctime%28Time%29%20%7C%20table%20purchCostReference%2C%20eventType%2C%20Time%2C%20Segments%2C%20Carriers%2C%20BillingMethod%2C%20Origin%2C%20Destination%2C%20StopOffLocation%20%7C%20sort%20Time purchCostReference=$purchCostReferenceToken$
</query>
这是结果的屏幕截图:
更新 我消除了搜索的复杂性,因此它仅具有与报表相同的索引,源和源类型,并具有一个文本字段来限制搜索。下面是查询字符串:
<query>index="indexname same as report" source="source name same as report" sourcetype="source type name same as report" "createMessage MsgSource"</query>
它返回一个空白的仪表板,没有错误,如上图所示。
更新 我使用报表查询重新创建了仪表板,并让搜索返回了所有表结果。我有一个参考数字输入作为文本框。令牌名称为: purchCostReferenceToken
我想基于此令牌限制表结果。这是查询:
<form>
<label>Thru Train Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="purchCostReferenceToken" searchWhenChanged="true">
<label>Enter a TMS Reference Number to Filter Table</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Thru Train Data</title>
<table>
<search>
<query>index=... "<billingMethod>RULE</billingMethod>" "createMessage MsgSource" | xmlkv | rex max_match=0 "\<purchasedCostTripSegment\>(?P<segment>[^\<]+)" |eval Segments = mvrange(1,mvcount(mvindex(segment, 0, 2))+1,1) | rex max_match=0 "\<carrier\>(?P<Carriers>[^\<]+)" | rex max_match=0 "\<billingMethod\>(?P<BillingMethod>[^\<]+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<origin>\s*<ns2:numberCode>(?P<Origin>\d+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<destination>\s*<ns2:numberCode>(?P<Destination>\d+)" | rex max_match=0 "<purchasedCostTripSegment>[\s\S]*?<stopOff>\s*<ns2:stopOffLocation>\s*<ns2:numberCode>(?P<StopOffLocation>\d+)" | eval Time =_time | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time) | table purchCostReference, eventType, Time, Segments, Carriers, BillingMethod, Origin, Destination, StopOffLocation | sort Time</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
我在哪里添加令牌以限制搜索? 我尝试将其添加到查询的末尾,并返回了所有结果:
purchCostReference=$purchCostReferenceToken$
1 个答案:
答案 0 :(得分:0)
您无法将参数发送到报告。 https://docs.splunk.com/Documentation/Splunk/8.0.4/Viz/PanelreferenceforSimplifiedXML#search
您将需要使用内联搜索,如下所示。您需要包括搜索并使用令牌$purchaseCoseReferenceToken
<form>
<label>Thru Train Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="purchCostReferenceToken" searchWhenChanged="true">
<label>TMS Reference Number</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Thru Train XML DATA</title>
<table>
<search>
<query>
sourcetype=blah somefield="$purchCostReferenceToken$"
</query>
</search>
<option name="drilldown">row</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?