Another Update to Keyword App

It’s been three years since I first released the relatively simple Keyword app on Splunkbase and wrote an initial blog entry for it describing it followed by an updated entry. In summary, the Keyword app is a series of form search dashboards designed for Splunk 6.x and later that allow a relatively new user to type in keywords (e.g., error, success, fail*) and get quick analytical results such as baselines, prediction, outliers, etc. Splunk administrators can give this app to their users as is, use the app as a template to write their own keyword dashboards, or take the searches in the app to create new views.

For this update, I’ve used, fellow Splunker, Hutch’s icons to update the display. I also removed the quotes around the token in the search so that users can now type things like

index=_internal err*

or anything that you want that is used before the pipe symbol in a search. Finally, I added a new dashboard using the abstract command. The abstract command in Splunk is a way for viewing a summary of multi-line events using a scoring mechanism that saves you from having to view the whole event. This is useful for viewing things like stack traces without having to view the whole stack trace as an event. Rather than continue to describe it, I’ll end with a screenshot of the form search dashboard.

Splunk Keyboard Abstract Form Search

Abstract Form Search

Nimish Doshi
Posted by

Nimish Doshi

Nimish is Director, Technical Advisory for Industry Solutions providing strategic, prescriptive, and technical perspectives to Splunk's largest customers, particularly in the Financial Services Industry. He has been an active author of Splunk blog entries and Splunkbase apps for a number of years.