Skip to content

Commit 2ab1db0

Browse files
mike-mcgrailmike-mcgrail
authored
Create dataset_by_example.xml
1 parent a874d40 commit 2ab1db0

File tree

1 file changed

+263
-0
lines changed

1 file changed

+263
-0
lines changed

output/dataset_by_example.xml

Lines changed: 263 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,263 @@
1+
<form version="1.1">
2+
<label>DataSet by Example</label>
3+
<init>
4+
<set token="myMaxCount">maxcount=10</set>
5+
<set token="baseQuery"></set>
6+
<set token="basePowerQuery">| group count=count() by tag" | spath | table tag count</set>
7+
<set token="baseFacetQuery">| spath | rename value as tag | table tag count</set>
8+
<set token="baseTimeseriesQuery">| spath | timechart values(rate) as rate</set>
9+
<set token="splunkAggregate">| spath | stats count by attributes.status</set>
10+
</init>
11+
<fieldset submitButton="false">
12+
<input type="checkbox" token="hideAPItest">
13+
<label></label>
14+
<choice value="1">Show Connection Test Results</choice>
15+
<initialValue>1</initialValue>
16+
<change>
17+
<condition value="1">
18+
<eval token="my_boolean">"1"</eval>
19+
</condition>
20+
<condition>
21+
<eval token="my_boolean"></eval>
22+
</condition>
23+
</change>
24+
<delimiter> </delimiter>
25+
</input>
26+
</fieldset>
27+
<row>
28+
<panel>
29+
<title>Searching Your Data in DataSet</title>
30+
<html>
31+
<b>This dashboard will help get you started on your journey. The first thing you'll want to do after configuring your DataSet Read API Key is to run a simple test to make sure you can access Dataset.</b>
32+
</html>
33+
</panel>
34+
</row>
35+
<row depends="$hideAPItest$">
36+
<panel>
37+
<title>API Connection Test</title>
38+
<table>
39+
<title>SPL: | dataset maxcount=5</title>
40+
<search>
41+
<query>| dataset maxcount=6
42+
| spath</query>
43+
<earliest>$myTime.earliest$</earliest>
44+
<latest>$myTime.latest$</latest>
45+
</search>
46+
<option name="count">3</option>
47+
<option name="drilldown">none</option>
48+
<option name="refresh.display">progressbar</option>
49+
</table>
50+
</panel>
51+
</row>
52+
<row depends="$hideAPItest$">
53+
<panel>
54+
<html>
55+
If you see data, your API Keys are working!
56+
</html>
57+
</panel>
58+
</row>
59+
<row>
60+
<panel>
61+
<html>
62+
<h3>Now let's talk about executing queries against DataSet.</h3>
63+
The first thing you need to know is that this Add-On provides four methods to query DataSet:
64+
<ol>
65+
<li>
66+
<b>Base Data Query</b> - This will return the raw event data (fast, but very verbose). This type of query returns all evetn data so be mindful of the amount of data pushed across the wire and held in memory.</li>
67+
<li>
68+
<b>PowerQuery</b> - This will aggregrate data by any supported operator (sum, count, average, etc.) and return the summary level statistics (faster).</li>
69+
<li>
70+
<b>Facet Query</b> - This will summarize data by a specific field and return the summary level statistics for the most common values of the field (fastest).</li>
71+
<li>
72+
<b>Timeseries Query</b> - This will calculate numeric values over time. For repeated queries, summaries allow precomputed results (fastest).</li>
73+
</ol>
74+
Depending on your use case, you may have a need for any or all of these.
75+
<h1>Let's get started searching! </h1>
76+
</html>
77+
</panel>
78+
</row>
79+
<row>
80+
<panel>
81+
<title>1. Base Data Query: Get the raw events</title>
82+
<input type="time" token="myTime" searchWhenChanged="true">
83+
<label>Time</label>
84+
<default>
85+
<earliest>-4h@m</earliest>
86+
<latest>now</latest>
87+
</default>
88+
</input>
89+
<input type="dropdown" token="myMaxCount" searchWhenChanged="true">
90+
<label>Max rows of data to return</label>
91+
<choice value="maxcount=10">10</choice>
92+
<choice value="maxcount=50">50</choice>
93+
<choice value="maxcount=1000">1000</choice>
94+
<choice value="maxcount=5000">5000</choice>
95+
<default>maxcount=10</default>
96+
<initialValue>maxcount=10</initialValue>
97+
</input>
98+
<input type="dropdown" token="myServerHost" searchWhenChanged="true">
99+
<label>ServerHosts</label>
100+
<choice value="All">All</choice>
101+
<fieldForLabel>serverHost</fieldForLabel>
102+
<fieldForValue>serverHost</fieldForValue>
103+
<search>
104+
<query>| dataset method=facet field=serverHost search="serverHost=* "
105+
| spath
106+
| rename value as serverHost
107+
| table serverHost count
108+
| sort serverHost</query>
109+
<earliest>$myTime.earliest$</earliest>
110+
<latest>$myTime.latest$</latest>
111+
</search>
112+
<change>
113+
<condition value="All">
114+
<set token="baseQuery">serverHost=*</set>
115+
<set token="myTag">tag</set>
116+
</condition>
117+
<condition>
118+
<set token="baseQuery">serverHost='$value$'</set>
119+
<set token="myTag">tag</set>
120+
</condition>
121+
</change>
122+
<default>All</default>
123+
<initialValue>All</initialValue>
124+
</input>
125+
<input id="baseQuery" type="text" token="baseQuery">
126+
<label>Base DataSet query</label>
127+
<default>$baseQuery$</default>
128+
</input>
129+
<html>
130+
<style>
131+
#baseQuery .splunk-textinput input{ width: 600px; !important; }
132+
#basePowerQuery .splunk-textinput input{ width: 1000px; !important; }
133+
#baseFacetQuery .splunk-textinput input{ width: 1000px; !important; }
134+
#splunkAggregate .splunk-textinput input{ width: 1000px; !important; }
135+
.dashboard-panel h2{
136+
background:#0000ff !important;
137+
color:white !important;
138+
text-align: left !important;
139+
font-weight: bold !important;
140+
border-top-right-radius: 15px;
141+
border-top-left-radius: 15px;
142+
}
143+
</style>
144+
</html>
145+
</panel>
146+
</row>
147+
<row>
148+
<panel>
149+
<table>
150+
<title>SPL: | dataset method=query search="$baseQuery$" $myMaxCount$ | spath</title>
151+
<search>
152+
<query>| dataset method=query search="$baseQuery$" $myMaxCount$
153+
| spath</query>
154+
<earliest>$myTime.earliest$</earliest>
155+
<latest>$myTime.latest$</latest>
156+
<sampleRatio>1</sampleRatio>
157+
</search>
158+
<option name="count">5</option>
159+
<option name="drilldown">none</option>
160+
<option name="refresh.display">progressbar</option>
161+
</table>
162+
</panel>
163+
</row>
164+
<row>
165+
<panel>
166+
<title>Now let's select a field to aggregate statistics on in DataSet. (This is exponentially better performance than returning all data and using SPL to summarize.)</title>
167+
<input type="dropdown" token="myTag" searchWhenChanged="true">
168+
<label>Field to aggregate by</label>
169+
<choice value="tag">tag</choice>
170+
<choice value="status">status</choice>
171+
<choice value="severity">severity</choice>
172+
<choice value="description">description</choice>
173+
<choice value="Application">Application</choice>
174+
<default>tag</default>
175+
<initialValue>tag</initialValue>
176+
<change>
177+
<condition>
178+
<set token="basePowerQuery">| group count=count() by $value$" | spath | table $value$ count</set>
179+
<set token="baseFacetQuery">| spath | rename value as $value$ | table $value$ count</set>
180+
</condition>
181+
</change>
182+
</input>
183+
</panel>
184+
</row>
185+
<row>
186+
<panel>
187+
<title>2. PowerQuery: Aggregate in DataSet and display in Splunk!</title>
188+
<input id="basePowerQuery" type="text" token="basePowerQuery">
189+
<label>Enter a PowerQuery to apply to the base query</label>
190+
<default>$basePowerQuery$</default>
191+
</input>
192+
</panel>
193+
</row>
194+
<row>
195+
<panel>
196+
<chart>
197+
<title>SPL: | dataset method=powerquery search="$baseQuery$ $basePowerQuery$</title>
198+
<search>
199+
<query>| dataset method=powerquery search="$baseQuery$ $basePowerQuery$
200+
</query>
201+
<earliest>$myTime.earliest$</earliest>
202+
<latest>$myTime.latest$</latest>
203+
</search>
204+
<option name="charting.chart">pie</option>
205+
<option name="charting.drilldown">none</option>
206+
<option name="refresh.display">progressbar</option>
207+
</chart>
208+
</panel>
209+
</row>
210+
<row>
211+
<panel>
212+
<title>3. Facet Query: Aggregate in DataSet, Facet by a specific field and display in Splunk!</title>
213+
<input id="baseFacetQuery" type="text" token="baseFacetQuery">
214+
<label>Enter a Facet Query to apply to the base query</label>
215+
<default>$baseFacetQuery$</default>
216+
</input>
217+
</panel>
218+
</row>
219+
<row>
220+
<panel>
221+
<title></title>
222+
<chart>
223+
<title>SPL: | dataset method=facet field=$myTag$ search="$baseQuery$" $baseFacetQuery$</title>
224+
<search>
225+
<query>| dataset method=facet field=$myTag$ search="$baseQuery$" $baseFacetQuery$
226+
</query>
227+
<earliest>$myTime.earliest$</earliest>
228+
<latest>$myTime.latest$</latest>
229+
</search>
230+
<option name="charting.chart">pie</option>
231+
<option name="charting.drilldown">none</option>
232+
<option name="refresh.display">progressbar</option>
233+
</chart>
234+
</panel>
235+
</row>
236+
<row>
237+
<panel>
238+
<title>4. Timeseries Query: This will calculate numeric values over time.</title>
239+
<input id="baseTimeseriesQuery" type="text" token="baseTimeseriesQuery">
240+
<label>Enter a Timeseries Query to apply to the base query</label>
241+
<default>$baseTimeseriesQuery$</default>
242+
</input>
243+
</panel>
244+
</row>
245+
<row>
246+
<panel>
247+
<title></title>
248+
<chart>
249+
<title>SPL: | dataset method=timeseries search="$baseQuery$" function="rate" buckets=24 createsummaries=false onlyusesummaries=false $baseTimeseriesQuery$</title>
250+
<search>
251+
<query>| dataset method=timeseries search="$baseQuery$" function="rate" buckets=24 createsummaries=false onlyusesummaries=false $baseTimeseriesQuery$</query>
252+
<earliest>$myTime.earliest$</earliest>
253+
<latest>$myTime.latest$</latest>
254+
</search>
255+
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
256+
<option name="charting.chart">line</option>
257+
<option name="charting.chart.nullValueMode">gaps</option>
258+
<option name="charting.drilldown">none</option>
259+
<option name="refresh.display">progressbar</option>
260+
</chart>
261+
</panel>
262+
</row>
263+
</form>

0 commit comments

Comments
 (0)