This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
<label>Advanced Form Search - 1</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="HiddenSearch" layoutPanel="mainSearchControls" autoRun="True">
<param name="search">index=_internal metrics</param>
<module name="StaticSelect">
<param name="settingToCreate">group</param>
<param name="label">field:</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">Index</param>
<param name="value">per_index_thruput</param>
</list>
<list>
<param name="label">Source</param>
<param name="value">per_source_thruput</param>
</list>
<list>
<param name="label">Sourcetype</param>
<param name="value">per_sourcetype_thruput</param>
</list>
<list>
<param name="label">Host</param>
<param name="value">per_host_thruput</param>
</list>
</param>
<!-- just for this module we need to render him into 'mainSearchControls' or else he'll take up an odd space in 'splSearchControls-inline' -->
<module name="ConvertToIntention">
<param name="settingToConvert">group</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="group">$target$</param>
</param>
</param>
<!-- and then in the very next module we return to putting modules into 'splSearchControls-inline' -->
<module name="SearchSelectLister">
<param name="settingToCreate">series_setting</param>
<param name="label">value:</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="search">index=_internal source="*metrics.log" metrics group series | head 5000 | top limit=200 series | sort series</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">series</param>
<param name="value">series</param>
</list>
</param>
<module name="TimeRangePicker">
<!--
<param name="label">time range:</param>
-->
<param name="selected">Last 4 hours</param>
<param name="searchWhenChanged">True</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">False</param>
<param name="label">Search</param>
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="series">$target$</param>
</param>
</param>
<module name="Message" layoutPanel="graphArea">
<param name="filter">splunk.search.job</param>
<param name="clearOnJobDispatch">True</param>
<param name="maxSize">2</param>
<module name="StaticContentSample" layoutPanel="resultsAreaLeft">
<param name="text">Now we use a HiddenSearch module to reset the base search string to be a timechart of sum(kb). However because HiddenSearch is downstream of the SubmitButton module, it will still pick up all the stuff the user picked above. We also use a HiddenChartFormatter here to give us a column chart, suppress the legend and specify the correct axis titles.</param>
</module>
<module name="HiddenSearch" layoutPanel="resultsAreaLeft">
<param name="search">index=_internal metrics NOT source="*web_service.log" NOT source="*access.log" NOT source="*/searches.log" NOT source="*intentions.log" NOT source="*splunkd.log" | timechart sum(kb)</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<param name="primaryAxisTitle.text">(Selected Series)</param>
<param name="secondaryAxisTitle.text">KB Indexed</param>
<param name="legend.placement">none</param>
<module name="JobProgressIndicator"/>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
</module>
</module>
<module name="StaticContentSample" layoutPanel="resultsAreaLeft">
<param name="text">Here we do the same thing, also living directly underneath the SubmitButton module, but instead we reset everything to show the max(eps), min(eps) and avg(eps) over time.</param>
</module>
<module name="HiddenSearch" layoutPanel="resultsAreaLeft">
<param name="search">index=_internal metrics NOT source="*web_service.log" NOT source="*access.log" NOT source="*/searches.log" NOT source="*intentions.log" NOT source="*splunkd.log" | timechart min(eps) avg(eps) max(eps)</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="primaryAxisTitle.text">(Selected Series)</param>
<param name="secondaryAxisTitle.text">event throughput</param>
<param name="legend.placement">bottom</param>
<module name="JobProgressIndicator"/>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>
<view template="dashboard.html">
<label>Advanced Form Search - 2</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchSelectLister" layoutPanel="panel_row1_col1" group="Chose group and series to view sum(kb), avg(kbps), median(eps), max(eps) and min(eps)">
<param name="settingToCreate">group_setting</param>
<param name="search">index=_internal source=*metrics.log Component=metrics group group="*" series="*" | stats count by group</param>
<param name="earliest">-6h</param>
<param name="label">Groups</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">group</param>
<param name="value">group</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">group_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="group">
<param name="value">$target$</param>
</param>
</param>
</param>
<!-- Series selector -->
<module name="SearchSelectLister">
<param name="settingToCreate">series_setting</param>
<param name="search">index=_internal source=*metrics.log Component=metrics group=$group$ | stats count by series</param>
<param name="earliest">-6h</param>
<param name="label">Series based on selected group</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">series</param>
<param name="value">series</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="series">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SubmitButton">
<param name="label">Search</param>
<!-- Chart for: index=_internal metrics NOT sendout group=<group> series=<series> | timechart sum(kb) -->
<module name="HiddenSearch">
<param name="search">index=_internal source=*metrics.log Component=metrics group=$group$ series=$series$ | timechart sum(kb)</param>
<param name="earliest">-6h</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<param name="chart.stackMode">stacked</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">sum(kb)</param>
<param name="legend.placement">None</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
</module>
</module>
<!-- Chart for: index=_internal metrics NOT sendout group=<group> series=<series> | timechart sum(kb) -->
<module name="HiddenSearch">
<param name="search">index=_internal source=*metrics.log Component=metrics group=$group$ series=$series$ | timechart avg(kbps)</param>
<param name="earliest">-6h</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="chart.stackMode">stacked</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">avg(kbps)</param>
<param name="legend.placement">None</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
</module>
</module>
<!-- Chart for: index=_internal metrics NOT sendout group=<group> series=<series> | timechart sum(kb) -->
<module name="HiddenSearch">
<param name="search">index=_internal source=*metrics.log Component=metrics group=$group$ series=$series$ | timechart median(eps) max(eps) min(eps)</param>
<param name="earliest">-6h</param>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="chart.stackMode">stacked</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">median(eps) max(eps) min(eps)</param>
<param name="legend.placement">None</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="SearchSelectLister" layoutPanel="panel_row1_col2" group="Search for cpu intensive processors in the last 24 hours.">
<param name="settingToCreate">name_setting</param>
<param name="search">index=_internal source=*metrics.log Component=metrics group=pipeline | stats sum(cpu_seconds) as totalCPU by name | where totalCPU > 0 | sort -totalCPU</param>
<param name="earliest">-1d</param>
<param name="label">Name</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">name</param>
<param name="value">name</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">name_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="name">
<param name="value">$target$</param>
</param>
</param>
</param>
<!-- Add the processor -->
<module name="SearchSelectLister">
<param name="settingToCreate">processor_setting</param>
<param name="search">index=_internal source=*metrics.log Component=metrics group=pipeline name=$name$ | stats sum(cpu_seconds) as totalCPU by processor | where totalCPU > 0 | sort -totalCPU</param>
<param name="earliest">-1d</param>
<param name="label">Processor</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">processor</param>
<param name="value">processor</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">processor_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="processor">
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SubmitButton">
<param name="label">Search</param>
<!-- Chart for: showing the sum cpu_seconds for a given name and processor -->
<module name="HiddenSearch">
<param name="search">index=_internal source=*metrics.log Component=metrics group=pipeline name=$name$ processor=$processor$ | timechart sum(cpu_seconds) </param>
<param name="earliest">-1d</param>
<module name="HiddenChartFormatter">
<param name="chart">column</param>
<param name="chart.stackMode">stacked</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="secondaryAxisTitle.text">sum(kb)</param>
<param name="legend.placement">None</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">200px</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</view>