Related Answers
Download topic as PDF
Simple XML reference
Dashboards and forms
dashboard
Root element of a view. A dashboard contains one or more rows, each of which can display one or more panels.
A dashboard can contain one or more global <search> elements that drive the data displayed in the dashboard. The <panel> elements can contain one or more <search> elements that drive the data in each panel.
If the dashboard contains a global search, there must be a post-process search in a <panel> element to display data from the search.
<dashboard>
<init> (0..1)
<label> (0..1)
<description> (0..1)
<search> (0..1)
<row> (1..n)
<panel> (0..n)
<search> (0..n)
<chart> | <event> | <html> | <map> | <single> | <table> (1..n)
<search> (0..n, for each visualization element)
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| hideChrome hideAppBar hideEdit hideFilters hideFooter hideSplunkBar hideTitle |
Boolean | False
|
Attributes to remove standard Splunk Web dashboard components from a dashboard.
If specified as a URL query string parameter without a value, set to "true". For example, Chrome: Hide Splunk Bar, App Bar, and Footer. App Bar: Lists applications and views. Edit: Drop-down lists and components that enable editing of a dashboard. If enabled, use Settings > User interface > Views or the Dashboards page to edit the dashboard. Filters: Hide form inputs to increase dashboard panel display space. Footer: List of links and a copyright notice at the foot of the dashboard. Splunk Bar: Top bar that provides a link to the home page and access to Settings pages. Title: The text defined in the <label> and <description> elements of the dashboard. |
| isDashboard | Boolean | True
|
For internal use.
Indicates if a view is a dashboard or a view implemented with advanced XML that is not a dashboard. |
| isVisible | Boolean | True
|
Indicates if the dashboard is listed in the Dashboards listing in an app and the navigation menus for an app. |
| onunloadCancelJobs | Boolean | Specifies whether to cancel search jobs when a user navigates away from a dashboard. | |
| refresh | Integer | 0
|
Sets the dashboard refresh interval, in seconds. The dashboard reloads after the specified refresh interval. |
| script | String | Comma-separated list of custom js files to load. The files must be in a folder or subfolder of the appserver/static directory.
$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/ To reference custom js files from another app, specify the the app name when referencing the file. For example, use the following reference. <dashboard script="myApp:myScript.js"> | |
| stylesheet | text | Comma-separated list of custom stylesheets to use for the dashboard. The stylesheet files must be in a folder or subfolder of the following directory.
$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/ To reference a custom css file from another app, specify the the app name when referencing the file. For example, use the following reference. <dashboard stylesheet="myApp:myStyles.css"> |
Example
<dashboard script="myScript.js, myScript2.js" stylesheet="myLocalStyles.css, myApp:myAppStyles.css">
<label>Data inputs</label>
<description>Listing of data inputs</description>
<row>
<panel>
<chart>
<title>Source types last 7 days</title>
<search ref="Source types last 7 days report" />
</chart>
</panel>
</row>
</dashboard>
form
A dashboard that contains user input elements. The user input elements supply values for one or more search terms that are used in searches in the form.
<form>
<init> (0..1)
<label> (0..1)
<description> (0..1)
<search> (0..1)
<fieldset> (1)
<input> (1..n)
<row> (1..n)
<panel> (0..n)
<search> (0..n)
<chart> | <event> | <html> | <map> | <single> | <table> (1..n)
<search> (0..n, for each visualization element)
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| hideChrome hideAppBar hideEdit hideFilters hideFooter hideSplunkBar hideTitle |
Boolean | False
|
Attributes to remove standard components from a dashboard.
Chrome: Hide Splunk Bar, App Bar, and Footer. App Bar: Lists applications and views. Edit: Drop-down lists and related components that enable editing of a dashboard. If enabled, use Settings > User interface > Views or the Dashboards page to edit the dashboard. Filters: Hide form inputs to increase dashboard panel display space. Footer: List of links and a copyright notice at the foot of the dashboard. Splunk Bar: Top bar that provides a link to the home page and access to Settings pages. Title: The text defined in the <label> and <description> elements of the dashboard. |
| isDashboard | Boolean | True
|
For internal use.
Indicates if a view is a dashboard or a view implemented with advanced XML that is not a dashboard. |
| isVisible | Boolean | True
|
Indicates if the dashboard is listed in the Dashboards listing for an app and the navigation menus for an app. |
| onUnloadCancelJobs | Boolean | Specifies whether to cancel search jobs when navigating away from a dashboard. | |
| refresh | Integer | 0
|
Sets the refresh interval, in seconds. Dashboard reloads after the specified refresh interval. |
| script | String | Comma-separated list of custom JavaScript files to load. The files must be in the following location. The files cannot be in a subdirectory.
To reference the custom JavaScript files from another app, specify the the app name when referencing the file as follows:
| |
| stylesheet | Text | Comma-separated list of custom stylesheets to use for the dashboard. The stylesheet files must be in the following location. The files cannot be in a subdirectory.
To reference a custom stylesheet file from another app, specify the the app name when referencing the file as follows:
|
Example
<form script="myLocalScript.js, myApp:myAppScript.js" stylesheet="myStyles.css, myStyles2.css">
<label>Form example: source type time chart</label>
<fieldset autorun="true" submitButton="false">
<input type="dropdown" token="sourcetype_tok">
<label>Select a source type</label>
<default>splunkd</default>
<choice value="splunkd">splunkd</choice>
<choice value="splunk_web_access">splunk_web_access</choice>
<choice value="splunkd_ui_access">splunkd_ui_access</choice>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>
index = _internal sourcetype=$sourcetype_tok$
| timechart count by sourcetype
</query>
<earliest>-7d</earliest>
<latest>-0d</latest>
</search>
</chart>
</panel>
</row>
</form>
panel
A container to display and group one or more panel visualization elements.
Two or more visualization elements in a panel group vertically. The exception is the single visualization element. Two or more single elements group horizontally.
There are two types of panels, inline and reference.
- Inline panel: An inline panel contains one or more visualization elements. You can create and edit an inline panel with the Dashboard Editor and the Panel Editor. You can also edit the panel in simple XML source code.
- Reference panel: A reference panel displays the contents of a prebuilt panel on a dashboard. A reference panel contains a
refattribute and an optionalappattribute that provide a reference to the prebuilt panel.
- A reference panel does not recognize child elements of a
<panel>element that you specify in the dashboard XML code.
- You cannot use the Panel Editor to edit the contents of a reference panel.
- For more information on prebuilt panels, see Dashboard panels and Create and add a panel by reference.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| ref | Text | (Required) Applies only to reference panels.
References the name of a prebuilt panel. This is the name that appears in Settings > User Interface > Panels. | |
| app | Text | See description. | (Optional) Applies only to reference panels.
References the name of the app that contains the reference panel. The app for a reference panel appears in Settings > User Interface > Panels. Default value for |
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this panel in a dashboard. | |
| id | Text (minimum two characters) | Identifier for the panel.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | Comma-separated list of tokens |
Prevent panel rendering if one or more tokens in this list are defined. |
Parent element
<row>
Inline panel
<row>
<panel> (0..n)
<title> (0..1)
<description> (0..1)
<search> (0..n)
<chart> | <event> | <html> | <map> | <single> | <table> (1..n)
Reference panel
<row>
<panel ref="[panel name]" [app="[app name]"]> (0..n)
<!-- Other <panel> child elements ignored -->
Child elements (Inline panel)
| Element | Type | Default | Description |
|---|---|---|---|
| <description> | text | Descriptive text to display in the panel. | |
| Panel visualization element | text | A visualization element to display results of a search.
Can also be an <html> panel to display text with HTML mark-up. See Panel visualization element. | |
| <search> | text | Search string.
A base search available for post process searches. | |
| <title> | text | Display title for the panel. |
Example
Grouping of chart visualizations and single value visualizations using the <panel> element.
<dashboard>
<label>Dashboard Panel Example</label>
<description></description>
<row>
<panel>
<chart>
<title>Chart grouping</title>
<search>
<query>
index=_internal source="*splunkd.log"
( log_level=ERROR OR log_level=WARN*
OR log_level=FATAL OR log_level=CRITICAL )
| stats count as log_events
| rangemap field=log_events low=1-100 elevated=101-300 default=severe
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">radialGauge</option>
</chart>
<chart>
<search>
<query>
index=_internal source="*splunkd.log"
( log_level=ERROR OR log_level=WARN*
OR log_level=FATAL OR log_level=CRITICAL )
| stats count as log_events
| rangemap field=log_events low=1-100 elevated=101-300 default=severe
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">markerGauge</option>
</chart>
</panel>
</row>
<row>
<panel>
<single>
<title>Single value grouping</title>
<search>
<query>
index=_internal source="*splunkd.log"
( log_level=ERROR OR log_level=WARN*
OR log_level=FATAL OR log_level=CRITICAL )
| stats count as log_events
| rangemap field=log_events low=1-100 elevated=101-300 default=severe
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="beforeLabel">Found</option>
<option name="afterLabel">errors</option>
</single>
<single>
<search>
<query>
index=_internal source="*splunkd.log"
( log_level=ERROR OR log_level=WARN*
OR log_level=FATAL OR log_level=CRITICAL )
| stats count as log_events
| rangemap field=log_events low=1-100 elevated=101-300 default=severe
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="beforeLabel">Found</option>
<option name="afterLabel">errors</option>
</single>
</panel>
</row>
</dashboard>
row
A container for displaying one or more visualization elements in a horizontal layout of a dashboard or form.
Use the <panel> element to group visualization elements in a row.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this row in a dashboard. | |
| grouping | comma-separated list of integers | No grouping |
Deprecated. Use the <panel> element to group visualization elements.
Sets the grouping for the panels in a row according to a comma-separated list of numbers representing the panels to be grouped. When you group panels, the visualization for each grouped panel is placed in a container. With one exception, you can consider the containers as columns for the panel visualizations. Visualizations are placed one above the other in the container. If the grouping contains only visualizations of type <single>, the visualizations are placed side-by-side. The first number in a grouping configures a group for the initial number of panels specified for that group. Subsequent numbers in the list form a group for the next set of panels. For example, suppose you have a row with 6 visualizations. Specify the following grouping:
This creates a container with the first two panels, a second container with one visualization, and a third container with the last three panels grouped. |
| id | Text (minimum two characters) | Identifier for the row.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | Comma-separated list of tokens |
Prevent row rendering if one or more tokens in this list are defined. |
Parent elements
<dashboard> | <form>
<row> <panel> (0..n)
Example
See the example for the <panel> element. This example shows grouping of visualizations in row, using the <panel> element.
label
Optional header text for a dashboard, form, or form input.
Parent element
<dashboard> | <form>
<label>[text]</label> (0..1)
Example
<form>
<label>Event count for different source types</label>
. . .
<fieldset>
<input type="text" token="series">
<label>Enter a source type</label>
<default></default>
<initialValue>splunkd</initialValue>
</input>
</fieldset>
. . .
</form>
description
Text that displays beneath a <dashboard>, <form>, or <panel>.
Parent element
<dashboard> | <form> | <panel>
Syntax
<description>[text]</description> (0..1)
Example
<dashboard>
<label>Event count for different source types</label>
<description>Listing of common source types</description>
. . .
<panel>
<title>Source types for the last 7 days</title>
<description>Count for each source type in the internal index</description>
. . .
. . .
</dashboard>
init
Use the <init> element to set or update token values when a dashboard or form opens. See Token usage in dashboards to learn about using the <init> element to set tokens on page load.
Form inputs
fieldset
Defines the input elements to a form.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| autoRun | Boolean | False
|
Indicates whether to run the search when the page loads. |
| submitButton | Boolean | True
|
Indicates whether to display a Submit button. |
Parent element
<form>
<fieldset autoRun="[Boolean]" submitButton="[Boolean]">
<html> (0..n)
<input type="[input type]" token="[search token]"> (1..n)
<default> (0..1)
<fieldForLabel> (0..1)
<fieldForValue> (0..1)
<initialValue> (0..1)
<label> (0..1)
<prefix> (0..1)
<search> (0..1)
<selectFirstChoice> (0..1)
<suffix> (0..1)
<populatingSearch> | <populatingSavedSearch> (0..1, deprecated)
Example
<fieldset autoRun="true" submitButton="false">
<input type="text" token="series">
<label>sourcetype</label>
<default></default>
<initialValue>splunkd</initialValue>
<suffix>*</suffix>
</input>
</fieldset>
checkbox
Defines a check box input to a form.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this input. Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for this input.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. | |
| rejects | Comma-separated list of tokens |
Prevent input rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| searchWhenChanged | Boolean | False | Specifies to run the search when the selection changes. |
| token | String | Specifies which token in the search string to replace with the specified value. |
Parent element
<fieldset>
<input type="checkbox" token="[search token]"> (1..n) <default> (0..1) <delimiter> (0..1) <initialValue> (0..1) <label> (0..1) <prefix> (0..1) <search> (0..1) <suffix> (0..1) <valuePrefix> (0..1) <valueSuffix> (0..1)
Child elements
| element | Type | Default | Description |
|---|---|---|---|
| <change> | <condition> | Specifies the input choices that set conditional actions.
The <change> element is not available for multiselect inputs. See <change>. | |
| <condition> | Input choice | Specifies an input choice that sets conditional actions.
See <condition> (input). | |
| <default> | Attribute value | Specifies a default value for an input element. | |
| <delimiter> | text | A string that will be placed between each selected value. Typically, you specify " OR " or " AND " using upper case – do not specify the quote marks, but specify a space character before and after the text. | |
| <earliest> <latest> |
text | Time expressions that specify the earliest and latest time parameters. Use with the <search> element to dynamically populate choices for the input.
You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify time modifiers in your search. For absolute time, specify the time in UNIX epoch time format. | |
| <fieldForLabel> <fieldForValue> |
text | The field to use for the label and value when using the <search> element to dynamically populate choices for the input. | |
| <initialValue> | Attribute value | The initial value of the input element.
The value for <default> overrides the value for <initialValue>. | |
| <label> | text | Text displayed with the input element. | |
| <prefix> | text | String prefixed to the value of the input element. Can be a regular expression. | |
| <search> | text | Search that dynamically populates choices for the input. Use the ref attribute of the <search> element to reference a search from a report. See <search>.
| |
| <suffix> | text | String appended to the value of the input element. Can be a regular expression. | |
| <valuePrefix> | text | String prefixed to the value of the input element. Can be a regular expression. | |
| <valueSuffix> | text | String appended to the value of the input element. Can be a regular expression. |
Example
This example produces the following string when a user selects One and Three from the multiselect:
("1*" AND "3*")
<fieldset>
<input type="checkbox" token="mv5">
<choice value="1">One</choice>
<choice value="2">Two</choice>
<choice value="3">Three</choice>
<delimiter> AND </delimiter>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>*"</valueSuffix>
</input>
</fieldset>
dropdown
Defines a dropdown input to a form.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this input. Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for this input.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. | |
| rejects | Comma-separated list of tokens |
Prevent input rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| searchWhenChanged | Boolean | False | Specifies to run the search upon a new selection. |
| token | String | Specifies which token in the search string to replace with the specified value. |
Parent element
<fieldset>
<input type="dropdown" token="[search token]"> (1..n) <choice> (0..n) <initialValue> (0..1) <label> (0..1) <default> (0..1) <prefix> (0..1) <search> (0..1) <selectFirstChoice> (0..1) <suffix> (0..1)
Child elements
| element | Type | Default | Description |
|---|---|---|---|
| <allowCustomValues> | boolean | false | If true, enables the selection of custom values typed into the text field for the input. |
| <change> | <condition> | Specifies the input choices that set conditional actions.
The <change> element is not available for multiselect inputs. See <change>. | |
| <choice value=[value]> | text | value: Required. Specifies the value to use for the choice.
Specifies choices for a radio or dropdown element. <choice> Is the label to use for the specified value. | |
| <condition> | Input choice | Specifies an input choice that sets conditional actions.
See <condition> (input). | |
| <default> | Attribute value | Specifies a default value for an input element. | |
| <earliest> <latest> |
text | Time expressions that specify the earliest and latest time parameters. Use with the <search> element to dynamically populate choices for the input.
You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify time modifiers in your search. For absolute time, specify the time in UNIX epoch time format. | |
| <fieldForLabel> <fieldForValue> |
text | The field to use for the label and value when using the <search> element to dynamically populate choices for the input. | |
| <initialValue> | Attribute value | The initial value of the input element.
The value for <default> overrides the value for <initialValue>. | |
| <label> | text | Text displayed with the input element. | |
| <prefix> | text | String prefixed to the value of the input element. Can be a regular expression. | |
| <search> | text | Search that dynamically populates choices for the input. Use the ref attribute of the <search> element to reference a search from a report. See <search>.
| |
| <selectFirstChoice> | boolean | false
|
Indicates if the first item listed is the default item for the input. If a value for <default> is present, <selectFirstChoice> is ignored. |
| <showClearButton> | boolean | true
|
Indicates if the clear button for the dropdown is present.
When present, the user clicks the clear button to change the choice to the default value for the dropdown. |
| <suffix> | String | String appended to the value of the input element. Can be a regular expression. |
Example
<form>
<label>Form example: source type time chart</label>
<fieldset autorun="true" submitButton="false">
<input type="dropdown" token="sourcetype_tok">
<label>Select a source type</label>
<default>splunkd</default>
<choice value="splunkd">splunkd</choice>
<choice value="splunk_web_access">splunk_web_access</choice>
<choice value="splunkd_ui_access">splunkd_ui_access</choice>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>
index = _internal sourcetype=$sourcetype_tok$
| timechart count by sourcetype
</query>
<earliest>-7d</earliest>
<latest>-0d</latest>
</search>
</chart>
</panel>
</row>
</form>
link
Defines a link switcher input to a form.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this input. Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for this input.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. | |
| rejects | Comma-separated list of tokens |
Prevent input rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| searchWhenChanged | Boolean | False | Specifies to run the search upon a new selection. |
| token | String | Specifies which token in the search string to replace with the specified value. |
Parent element
<fieldset>
<input type="link" token="[search token]"> (1..n) <choice> (0..n) <initialValue> (0..1) <label> (0..1) <default> (0..1) <prefix> (0..1) <search> (0..1) <selectFirstChoice> (0..1) <suffix> (0..1)
Child elements
| element | Type | Default | Description |
|---|---|---|---|
| <change> | <condition> | Specifies the input choices that set conditional actions. See <change>. | |
| <choice value=[value]> | text | value: Required. Specifies the value to use for the choice.
Specifies choices for the link input element. <choice> Is the label to use for the specified value. | |
| <condition> | Input choice | Specifies an input choice that sets conditional actions.
See <condition> (input). | |
| <default> | Attribute value | Specifies a default value for an input element. | |
| <earliest> <latest> |
text | Time expressions that specify the earliest and latest time parameters. Use with the <search> element to dynamically populate choices for the input.
You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify time modifiers in your search. For absolute time, specify the time in UNIX epoch time format. | |
| <fieldForLabel> <fieldForValue> |
text | The field to use for the label and value when using the <search> element to dynamically populate choices for the input. | |
| <initialValue> | Attribute value | The initial value of the input element.
The value for <default> overrides the value for <initialValue>. | |
| <label> | text | Text displayed with the input element. | |
| <prefix> | String | String prefixed to the value of the input element. Can be a regular expression. | |
| <search> | text | Search that dynamically populates choices for the input. Use the ref attribute of the <search> element to reference a search from a report. See <search>.
| |
| <selectFirstChoice> | boolean | false
|
Indicates if the first item listed is the default item for the input. Overrides any value for <initialValue>. If a value for <default> is present, <selectFirstChoice> is ignored. |
| <suffix> | String | String appended to the value of the input element. Can be a regular expression. |
Example
<form>
<label>Form with Link Selector</label>
<description></description>
<fieldset autoRun="True" submitButton="false">
<input type="link" token="field_tok">
<label>Select field to analyze</label>
<default>Reason</default>
<choice value="reason">Reason</choice>
<choice value="log_level">Log level</choice>
<choice value="component">Component</choice>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Log level by $field_tok$</title>
<search>
<query>index=_internal source=*splunkd.log | stats count by $field_tok$</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.scale">log</option>
<option name="charting.chart">bar</option>
</chart>
</panel>
</row>
</form>
multiselect
Defines an input to a form that accepts multiple choices. When a user selects the input, defined choices appear as a dropdown list. The user can also type directly in the input to filter the available choices.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this input. Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for this input.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. | |
| rejects | comma-separated list of tokens |
Prevent input rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| searchWhenChanged | Boolean | False | Specifies to run the search upon a new selection. |
| token | text | Specifies which token in the search string to replace with the specified value. |
Parent element
<fieldset>
<input type="multiselect" token="[search token]"> (1..n) <default> (0..1) <delimiter> (0..1) <initialValue> (0..1) <label> (0..1) <prefix> (0..1) <search> (0..1) <suffix> (0..1) <valuePrefix> (0..1) <valueSuffix> (0..1)
Child elements
| element | Type | Default | Description |
|---|---|---|---|
| <allowCustomValues> | boolean | false | If true, enables the selection of custom values typed into the text field for the input. |
| <default> | Attribute value | Specifies a default value for an input element. | |
| <delimiter> | text | A string that will be placed between each selected value. Typically, you specify " OR " or " AND " using upper case – do not specify the quote marks, but specify a space character before and after the text. | |
| <earliest> <latest> |
text | Time expressions that specify the earliest and latest time parameters. Use with the <search> element to dynamically populate choices for the input.
You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify time modifiers in your search. For absolute time, specify the time in UNIX epoch time format. | |
| <fieldForLabel> <fieldForValue> |
text | The field to use for the label and value when using the <search> element to dynamically populate choices for the input. | |
| <initialValue> | Attribute value | The initial value of the input element.
The value for <default> overrides the value for <initialValue>. | |
| <label> | text | Text displayed with the input element. | |
| <prefix> | text | String prefixed to the value of the input element. Can be a regular expression. | |
| <search> | text | Search that dynamically populates choices for the input. Use the ref attribute of the <search> element to reference a search from a report. See <search>.
| |
| <suffix> | text | String appended to the value of the input element. Can be a regular expression. | |
| <valuePrefix> | text | String prefixed to the value of the input element. Can be a regular expression. | |
| <valueSuffix> | text | String appended to the value of the input element. Can be a regular expression. |
Example
This example produces the following multiselect string for the search when a user selects splunkd and splunk_web_access:
sourcetype ="splunkd" OR sourcetype ="splunk_web_access"
<form>
<label>Form with multiselect</label>
<fieldset autoRun="false" submitButton="true">
<html>
<strong>Multiselect choices</strong>
</html>
<input type="multiselect" token="sourcetype_tok" searchWhenChanged="false">
<label>Select one or more source types</label>
<choice value="*">All</choice>
<choice value="splunk_web_access">splunk_web_access</choice>
<choice value="splunkd">splunkd</choice>
<choice value="splunk_ui_access">splunk_ui_access</choice>
<choice value="splunkd_access">splunkd_access</choice>
<!-- Build multi-selection search:
(sourcetype ="value1" OR sourcetype ="value2" OR ...)
-->
<prefix>(</prefix>
<valuePrefix>sourcetype ="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
</input>
</fieldset>
<row>
<panel>
<title></title>
<chart>
<search>
<query>index =_internal $sourcetype_tok$ | stats count by sourcetype</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.axisY.scale">log</option>
</chart>
</panel>
</row>
</form>
radio
Defines a radio input to a form.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this input. Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for this input.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. | |
| rejects | Comma-separated list of tokens |
Prevent input rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| searchWhenChanged | Boolean | False | Specifies to run the search upon a new selection. |
| token | String | Specifies which token in the search string to replace with the specified value. |
Parent element
<fieldset>
<input type="radio" token="[search token]"> (1..n) <choice> (0..n) <initialValue> (0..1) <label> (0..1) <default> (0..1) <prefix> (0..1) <search> (0..1) <selectFirstChoice> (0..1) <suffix> (0..1)
Child elements
| element | Type | Default | Description |
|---|---|---|---|
| <change> | <condition> | Specifies the input choices that set conditional actions. See <change>. | |
| <choice value=[value]> | text | value: Required. Specifies the value to use for the choice.
Specifies choices for a radio or dropdown element. <choice> Is the label to use for the specified value. | |
| <condition> | Input choice | Specifies an input choice that sets conditional actions.
See <condition> (input). | |
| <default> | Attribute value | Specifies a default value for an input element. | |
| <earliest> <latest> |
text | Time expressions that specify the earliest and latest time parameters. Use with the <search> element to dynamically populate choices for the input.
You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify time modifiers in your search. For absolute time, specify the time in UNIX epoch time format. | |
| <fieldForLabel> <fieldForValue> |
text | The field to use for the label and value when using the <search> element to dynamically populate choices for the input. | |
| <initialValue> | Attribute value | The initial value of the input element.
The value for <default> overrides the value for <initialValue>. | |
| <label> | text | Text displayed with the input element. | |
| <prefix> | String | String prefixed to the value of the input element. Can be a regular expression. | |
| <search> | text | Search that dynamically populates choices for the input. Use the ref attribute of the <search> element to reference a search from a report. See <search>.
| |
| <selectFirstChoice> | boolean | false
|
Indicates if the first item listed is the default item for the input. If a value for <default> is present, <selectFirstChoice> is ignored. |
| <suffix> | String | String appended to the value of the input element. Can be a regular expression. |
Example
<form>
<label>Form with radio input</label>
<description></description>
<fieldset autoRun="True" submitButton="false">
<input type="radio" token="field_tok">
<label>Select field to analyze</label>
<default>component</default>
<choice value="reason">Reason</choice>
<choice value="name">Name</choice>
<choice value="component">Component</choice>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Log level by $field_tok$</title>
<search>
<query>
index=_internal source=*splunkd.log | stats count by $field_tok$
</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.scale">log</option>
<option name="charting.chart">bar</option>
</chart>
</panel>
</row>
</form>
text
Defines a text input to a form.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this input. Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for this input.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. | |
| rejects | Comma-separated list of tokens |
Prevent input rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| searchWhenChanged | Boolean | False | Specifies to run the search when new text is entered. |
| token | String | Specifies which token in the search string to replace with the specified value. |
Parent element
<fieldset>
<input type="text" token="[search token]"> (1) <initialValue> (0..1) <label> (0..1) <default> (0..1) <prefix> (0..1) <suffix> (0..1)
Child elements
| element | Type | Default | Description |
|---|---|---|---|
| <change> | <condition> | Specifies the input choices that set conditional actions. See <change>. | |
| <condition> | Input choice | Specifies an input choice that sets conditional actions.
See <condition> (input). | |
| <default> | Attribute value | Specifies a default value for an input element. | |
| <initialValue> | Attribute value | The initial value of the input element.
The value for <default> overrides the value for <initialValue>. | |
| <label> | text | Text displayed with the input element. | |
| <prefix> | String | String prefixed to the value of the input element. Can be a regular expression. | |
| <suffix> | String | String appended to the value of the input element. Can be a regular expression. |
Example
<form>
<label>Form with text input</label>
<description></description>
<fieldset autoRun="True" submitButton="false">
<input type="text" token="log_level_tok">
<label>Specify a log level</label>
<default>INFO</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Timechart for $log_level_tok$</title>
<search>
<query>
index=_internal source=*splunkd.log log_level="$log_level_tok$"
| timechart count by log_level
</query>
<earliest>-7d</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.scale">log</option>
<option name="charting.chart">line</option>
</chart>
</panel>
</row>
</form>
time
Specifies a time picker input to a form.
Use tokens to specify more than one time range picker. If you do not specify a token for a time picker, the time picker becomes global. Any visualization that does not specify a time range, either through a reference to a time picker token or directly in code, applies the time range from the global time picker.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this input. Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for this input.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. | |
| rejects | comma-separated list of tokens |
Prevent input rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| token | text | Use tokens to associate a time picker with a panel.
When referencing a time picker token, use the earliest and latest modifiers to the token to specify a time range. See the example below. | |
| searchWhenChanged | Boolean | False | Specifies to run the search upon a new selection. |
Parent element
<fieldset>
<input type="time" [ token="[text]" ] [ searchWhenChanged="[true|false]" ]> (0..n)
<label> (0..1)
<default> (0..1)
[time preset] (0..1) |
<earliest> (0..1)
<latest> (0..1)
</default>
Child elements
| element | Type | Default | Description |
|---|---|---|---|
| <change> | <condition> | Specifies the input choices that set conditional actions.
The <change> element is not available for multiselect inputs. See <change>. | |
| <condition> | Input choice | Specifies an input choice that sets conditional actions.
See <condition> (input). | |
| <earliest> <latest> |
text | Time expressions that specify the earliest and latest time parameters.
You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify time modifiers in your search. For absolute time, specify the time in UNIX epoch time format. | |
| <default> | text
or time modifier |
Specifies a default value for an input element.
You can specify either a preset value, as listed in times.conf, or the <earliestTime> and <latestTime> for a custom default time range. See <earliestTime> and <latestTime> for details. | |
| <label> | text | Text displayed with the input element. |
Example
The default value for the time picker is set to the last seven days. The <chart> element in this example references the $time_tok$ token for the time picker. The chart updates with any new selected time range.
<form>
<label>Form with time input</label>
<description/>
<fieldset submitButton="false">
<input type="dropdown" token="source_tok" searchWhenChanged="true">
<label>Select a source type</label>
<choice value="*">All</choice>
<search>
<query>
index=_internal | stats count by sourcetype
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<default>*</default>
</input>
<input type="time" token="time_tok" searchWhenChanged="true">
<label>Select time range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>$source_tok$ -- Count for last 7 days</title>
<search>
<query>
index=_internal $source_tok$ | timechart count
</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<option name="charting.chart">column</option>
</chart>
</panel>
</row>
</form>
change
Lets you set tokens based on a selected choice for a form input. You can use with the<condition> element to define conditional actions based on a selected choice.
The <change> element is not available for multiselect inputs.
Parent elements
<input type="checkbox"> <input type="dropdown"> <input type="radio"> <input type="text"> <input type="time">
<change>
<condition>(0..n)
(<link> | <set> | <unset>) (1..n)
Attributes
No attributes for this element.
Example
Use the <change> element to capture the selected label and value from an input.
<form>
<label>Use tokens with input choices to capture input labels and values</label>
<fieldset submitButton="false">
<input type="radio" token="period_tok">
<label>Select a time range</label>
<choice value="-24h@h">Last 24 Hours</choice>
<choice value="-7d@d">Last 7 Days</choice>
<choice value="-30d@d">Last 30 Days</choice>
<default>Last 24 Hours</default>
<change>
<!-- use predefined input tokens to set -->
<!-- tokens for the selected label and value -->
<set token="date_label">$label$</set>
<set token="earliest_tok">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<title>Conditional Inputs</title>
<chart>
<!-- Display selected label in the title -->
<title>Source Type by $date_label$</title>
<search>
<query>index = _internal | timechart count by sourcetype</query>
<!-- use the value of earliest_tok -->
<!-- to set the time range -->
<earliest>$earliest_tok$</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisTitleX.text">Time period</option>
<option name="charting.axisTitleY.text">Events</option>
</chart>
</panel>
</row>
</form>
condition (input)
Specifies the scope of actions based on input choices. If the parent element <change> is not present, then the actions apply to all choices. The <condition> element is not available for multiselect inputs.
Note: The <condition> element applies to both input elements and drilldown elements. See <condition> (drilldown) for details.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| field | text | *
|
Drilldown context only. Specifies the search field on which to implement the drilldown, or to set or unset a token. See <condition> (drilldown). |
| label | text | *
|
Specifies the input <label> element to which the condition applies.
' |
| match= | text | *
|
Specifies a job property-based condition to evaluate for a match. For example, you can use <condition match="'job.resultCount' == 0"> to specify a condition to apply when a search returns no results.
|
| value | text | *
|
Specifies the input <value> element to which the condition applies.
' |
Parent element
<change>
<condition> (<link> | <set> | <unset>) (1..n)
Example
Use conditional inputs to select preset time ranges for a search.
The token for the selected choice appears in the title for the chart. The conditional token for the selected value drives the data for the chart.
<form>
<label>Use tokens with conditional input choices</label>
<fieldset submitButton="false">
<input type="radio" token="period_tok">
<label>Select a time range</label>
<choice value="-24h@h">Last 24 Hours</choice>
<choice value="-7d@h">Last 7 Days</choice>
<choice value="-30d@h">Last 30 Days</choice>
<default>Last 24 Hours</default>
<!-- set condition based on the label defined by <choice> -->
<!-- Within each condition, specify a custom label for display -->
<!-- Capture the selected value in the token, earliest_tok -->
<change>
<condition label="Last 24 Hours">
<set token="date_label">Yesterday</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 7 Days">
<set token="date_label">Last week</set>
<set token="earliest_tok">$value$</set>
</condition>
<condition label="Last 30 Days">
<set token="date_label">Last month</set>
<set token="earliest_tok">$value$</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<title>Conditional Inputs</title>
<chart>
<!-- Display selected label in the title -->
<title>$date_label$</title>
<search>
<query>index = _internal | timechart count by sourcetype</query>
<!-- use the value of earliest_tok -->
<!-- to set the time range -->
<earliest>$earliest_tok$</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisTitleX.text">Time periods</option>
<option name="charting.axisTitleY.text">Events</option>
</chart>
</panel>
</row>
</form>
Panel visualization elements
chart
A panel displaying search data in chart format. The search driving the panel can be an inline search or a saved report, which contains chart formatting parameters. For more information on saving reports, see Create and edit reports.
When you load a saved report in the chart panel, your saved report format also loads. However, you can override chart formatting inline using the chart options.
Charts use named options to specify chart-specific properties. This reference lists the basic panel options for charts. See the Chart Configuration Reference for a complete list of chart options.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this row or panel.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for the visualization.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | Comma-separated list of tokens |
Prevent visualization rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. |
Parent elements
<row>
<panel>
<chart>
<title> (0..1)
<search> (0..1)
<earliest> (0..1)
<latest> (0..1)
<drilldown> (0..n)
<selection> (0..n, for charts of type area, line, and column only)
<option name="[property]"> (0..n)
Options
| property | Type | Default | Description |
|---|---|---|---|
| charting.chart | (area | bar | column | fillerGauge | line | markerGauge | pie | radialGauge | scatter) | column
|
Set the chart type. |
| charting.legend.placement | (top | left | bottom | right | none) | right
|
Indicates the placement of the legend. |
| charting.* | —
|
—
|
All of the formatting options supported for chart. See the Custom Chart Reference for details. |
| height | Number between 100-10000 | 250
|
Height, in pixels, of the chart. |
| link.exportResults.visible | Boolean | (See description)
|
Show the Export button at the bottom of the panel.
Default value: The value of link.visible. |
| link.inspectSearch.visible | Boolean | (See description)
|
Show the Inspect button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openPivot.visible | Boolean | (See description)
|
Show the Open in Pivot button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openSearch.search | search string | —
|
The alternative search to use for the Open in Search button. |
| link.openSearch.searchEarliestTime | (time modifier) | (See description)
|
The earliest time to use for the alternative search specified by link.openSearch.search.
Default value: The earliest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.searchLatestTime | (time modifier) | (See description)
|
The latest time to use for the alternative search specified by link.openSearch.search.
Default value: The latest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.text | text | Open in Search
|
The label to use for the Open in Search button. |
| link.openSearch.viewTarget | View name | Search
|
The target view for the Open in Search button. |
| link.openSearch.visible | Boolean | (See description)
|
Show the Open in Search button at the bottom of the panel.
Default value: The value of link.visible |
| link.visible | Boolean | true
|
Show link buttons at the bottom of the panel. |
| refresh.auto.interval (Deprecated) | Number | 0
|
Deprecated. Use the refresh attribute to specify a dashboard or search refresh interval.
|
| refresh.time.visible | Boolean | true
|
Display the refresh time indicator in the panel. |
| refresh.link.visible | Boolean | true
|
Display the refresh link in the panel. |
Example
Example line chart panel using an inline search. It limits results to a specified time window and provides labels for the X and Y axes:
<dashboard>
<label>Top source types in the last week</label>
<row>
<panel>
<title>Chart example</title>
<chart>
<title>Top sourcetypes in the last week</title>
<search>
<query>
index=_internal source="*metrics.log" group=per_sourcetype_thruput
| timechart sum(kb) by series
</query>
<earliest>-1w</earliest>
<latest>now</latest>
</search>
<option name="height">200</option>
<option name="charting.chart">line</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.chart.nullValueMode">connect</option>
</chart>
</panel>
. . .
</row>
</dashboard>
event
A panel displaying search results as individual events.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this panel.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for the visualization.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | Comma-separated list of tokens |
Prevent visualization rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. |
Parent elements
<row>
<panel>
<event>
<title> (0..1)
<search> (0..1)
<earliest> (0..1)
<latest> (0..1)
<fields> (0..1)
<option name="[property]"> (0..n)
Options
| property | Type | Default | Description |
|---|---|---|---|
| count | Integer | The maximum number of rows to display. | |
| displayRowNumbers | Boolean | False
|
(Deprecated) Use the attribute rowNumbers
Toggle display of row numbers. |
| drilldown | (all | none) | all
|
Deprecated. Enables (or disables) all type-specific drilldowns (list.drilldown, table.drilldown, raw.drilldown).
Type-specific drilldown options override what is set here. all: Drilldown is enabled. |
| entityName | (events | results) | events
|
Deprecated. Toggle whether to show events or results.
Events are individual events, while results are created by statistical operators. |
| link.exportResults.visible | Boolean | (See description)
|
Show the Export button at the bottom of the panel.
Default value: The value of link.visible. |
| link.inspectSearch.visible | Boolean | (See description)
|
Show the Inspect button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openPivot.visible | Boolean | (See description)
|
Show the Open in Pivot button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openSearch.search | search string | —
|
The alternative search to use for the Open in Search button. |
| link.openSearch.searchEarliestTime | (time modifier) | (See description)
|
The earliest time to use for the alternative search specified by link.openSearch.search.
Default value: The earliest time used by the panel. Specify the time using time modifiers. |
| link.openSearch.searchLatestTime | (time modifier) | (See description)
|
The latest time to use for the alternative search specified by link.openSearch.search.
Default value: The latest time used by the panel. Specify the time using time modifiers. |
| link.openSearch.text | text | Open in Search
|
The label to use for the Open in Search button. |
| link.openSearch.viewTarget | View name | Search
|
The target view for the Open in Search button. |
| link.openSearch.visible | Boolean | (See description)
|
Show the Open in Search button at the bottom of the panel.
Default value: The value of link.visible |
| link.visible | Boolean | true
|
Show link buttons at the bottom of the panel. |
| list.drilldown | (full | inner | outer | none) | full
|
Specifies how drilldown operates in the event listing:
full: Enables the entire entry for drilldown. inner: Enables inner elements of the event listing for drilldown. outer: Enables outer elements of the event listing for drilldown. none: Disables drilldown. |
| list.wrap | Boolean | true
|
Indicates whether to wrap the contents of the event listing. |
| maxLines | Integer | The maximum number of lines to display for each result/event. | |
| raw.drilldown | (full | inner | outer | none) | full
|
Specifies how drilldown operates in the raw event listing:
full: Enables the entire entry for drilldown. inner: Enables inner elements of the event listing for drilldown. outer: Enables outer elements of the event listing for drilldown. none: Disables drilldown. |
| refresh.auto.interval (Deprecated) | Number | 0
|
Deprecated. Use the refresh attribute to specify a dashboard or search refresh interval.
|
| refresh.time.visible | Boolean | true
|
Display the refresh time indicator in the panel. |
| refresh.link.visible | Boolean | true
|
Display the refresh link in the panel. |
| rowNumbers | Boolean | False
|
Indicates whether to display row numbers. |
| segmentation | (none | inner | outer | full) | none
|
Deprecated: Use list.drilldown or raw.drilldown instead.
Sets the segmentation of events displayed. If you specify segmentation together with either list.drilldown or raw.drilldown, |
| showPager | Boolean | True
|
Toggle pagination on or off. |
| softWrap | Boolean | Deprecated. Enables wrapping of events. Replaced with list.wrap and table.wrap. | |
| table.sortColumn | text | Specifies the column on which to sort for the table. | |
| table.sortDirection | (asc | desc) | asc
|
Indicates the sort direction for items in the table. |
| table.drilldown | (all | none) | all | Indicates whether drilldown functionality is enabled for the table.
all: Drilldown is enabled. |
| table.wrap | Boolean | True | Indicates whether text in the table wraps. |
| type | (list | raw | table) | list
|
Indicates the format for displaying events. |
Example
<dashboard>
<label>Event listing by size</label>
<row>
<panel>
<title>Event example</title>
<event>
<title>Event view</title>
<search>
<query>
index = _internal current_size_kb < 1
</query>
<earliest>-1w</earliest>
<latest>now</latest>
</search>
<option name="showPager">true</option>
<option name="count">4</option>
<option name="rowNumbers">false</option>
</event>
</panel>
</row>
</dashboard>
html
The HTML panel displays inline HTML. The panel interprets the entire contents between the HTML tags literally, displaying HTML formatted text in the panel.
Any relative link references, such as images, are relative to the current view location. The HTML panel does not accept any options.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this panel.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| encoded | boolean | false | For internal use only. If true, the dashboard uses decoded text content instead of the XML content. |
| id | Text (minimum two characters) | Identifier for the visualization.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | comma-separated list of tokens |
Prevent visualization rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| src | String | Put the contents of an HTML or image file into the <html> panel. Directory locations and Simple XML syntax are different for HTML files and image files.
HTML file from the same app context <html src="<file_name>.html"> </html> HTML file from a different app context <html src="<other_app_name>:<file_name>.html"> </html> Image file <html> <img src="/static/app/<app_name>/images/<file_name>.png"> </img> </html> See the following instructions for details on where to save HTML and image files and how to reference files from different app contexts. | |
| tokens | boolean | true | If false, disables token replacement for the <html> panel. |
Use an HTML file in a dashboard panel
Steps
- Put the HTML file in the following directory.
$SPLUNK_HOME/etc/apps/<appname>/appserver/static
- In the
<html>panel, use this syntax to indicate a file from the current app context.
<html src="<file_name>.html"> </html>
If you are specifying an HTML file from another app context, use this syntax.
<html src="<other_app_name>:<file_name>.html"> </html>
Use an image file in a dashboard panel
Steps
- Put the image file in the following directory.
$SPLUNK_HOME/etc/apps/<appname>/appserver/static/images
If an
/imagesdirectory does not already exist, create one and put the file in it. -
Verify that the image file path is accessible by testing the following URL.
http://<host>:<port>/static/app/<app_name>/images/<image>
For example, use this URL to verify that the
my_image.pngfile is accessible.http://localhost:8000/static/app/search/images/my_image.png
-
In the
<html>panel, use this syntax to indicate a file from the current app context.
<html> <img src="/static/app/search/images/<file_name>.png"> </img> </html>
Example
<dashboard>
<label>test_db</label>
<row>
<panel>
<html>
<!-- Use an image from the current app's /static/images directory -->
<img src="/static/app/search/images/my_image.png"></img>
</html>
</panel>
<panel>
<!-- Use an HTML file from the webhook app. -->
<html src="alert_webhook:my_html_file.html">
</html>
<!--Use an image from the webhook app static/images directory -->
<html>
<img src="/static/app/alert_webhook/images/my_other_image.png"></img>
</html>
</panel>
</row>
</dashboard>
Parent elements
<row>
<panel>
<html>
Example
HTML panel showing how to reference a local image:
<dashboard>
<label>Dashboard with HTML content</label>
<row>
<panel>
<title>HTML panel</title>
<html>
<h1>Example HTML</h1>
<p>The HTML panel displays inline HTML.</p>
<p>
The panel interpets the entire contents between the HTML tags literally, displaying
HTML formatted text in the panel. The HTML panel does not accept any options.
</p>
<p>
Any relative link references, such as images,
are relative to the current view location.
</p>
<p>
For the following image in the Search app: <img src="/static/app/search/appIcon.png"/>
</p>
<p>Path to the image in your Splunk instance:
<pre>$SPLUNK_HOME/etc/apps/search/appserver/static/appIcon.png</pre>
Access the image with the following HTML source code:
<pre><img src="/static/app/search/appIcon.png" /></pre>
</p>
</html>
</panel>
<panel>
<title>HTML from source file</title>
<html src="Test_for_html_panel.html" />
</panel>
</row>
</dashboard>
map
Provides for mapping geographic coordinates as interactive markers on a world map. This visualization depends on results from the geostats search command.
See "geostats" in the Search Reference for details on implementing a geostats search.
You can create choropleth maps with the <map> element. See Choropleth maps. For choropleth map simple XML options, see Choropleth map options.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this panel.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for the visualization.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | comma-separated list of tokens |
Prevent visualization rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. |
Parent elements
<row>
<panel>
<map>
<title> (0..1)
<search> (0..1)
<earliest> (0..1)
<latest> (0..1)
<option name="[property]"> (0..n)
Options
Example to specify San Francisco Bay Area:<option name="mapping.map.fitBounds">(37.5,-123,38,-122)</option>
| property | Type | Default | Description |
|---|---|---|---|
| drilldown | (all | none) | all
|
all: Drilldown is enabled.
none: Drilldown is disabled. |
| height | integer | 400
|
The height in pixels of the map element.
Minimum value is 200. |
| link.exportResults.visible | Boolean | (See description)
|
Show the Export button at the bottom of the panel.
Default value: The value of link.visible. |
| link.inspectSearch.visible | Boolean | (See description)
|
Show the Inspect button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openSearch.search | search string | —
|
The alternative search to use for the Open in Search button. |
| link.openSearch.searchEarliestTime | (time modifier) | (See description)
|
The earliest time to use for the alternative search specified by link.openSearch.search.
Default value: The earliest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.searchLatestTime | (time modifier) | (See description)
|
The latest time to use for the alternative search specified by link.openSearch.search.
Default value: The latest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.text | text | Open in Search
|
The label to use for the Open in Search button. |
| link.openSearch.viewTarget | View name | Search
|
The target view for the Open in Search button. |
| link.openSearch.visible | Boolean | (See description)
|
Show the Open in Search button at the bottom of the panel.
Default value: The value of link.visible |
| link.visible | Boolean | true
|
Show link buttons at the bottom of the panel. |
| mapping.data.maxClusters | Integer | 100
|
The maximum number of clusters to render.
Caution: Setting this option to a large number of clusters can significantly degrade performance. Splunk recommends values below 1000. |
| mapping.fieldColors | field:hexvalue, . . . |
A comma-separated map of field names to hexadecimal color values (0xRRGGBB) to define colors for specific series. | |
| mapping.map.center | (lat,long) | The initial center point of the map. Latitude values can range from -85 to 85, with values outside of this range being clipped. Longitude values can range from -180 to 180, with values outside of this range being wrapped to fall within it. | |
| mapping.map.scrollZoom | Boolean | false | Indicates whether the map zooms when a user scrolls the map. |
| mapping.map.panning | Boolean | true | Indicates whether the map pans when dragged. |
| mapping.map.zoom | Number | 2 | The initial zoom level of the map. |
| mapping.map.fitBounds | (south-lat, west-long, north-lat, east-long) |
The initial bounds to fit within the map view area. Latitude values can range from -85 to 85, with values outside of this range being clipped.
Longitude values can range from -180 to 180, with values outside of this range being wrapped to fall within it. | |
| mapping.markerLayer.markerOpacity | Number | 0.8
|
The opacity of the markers. Values can range from 0 (transparent) to 1 (opaque). |
| mapping.markerLayer.markerMinSize | Number | 10
|
The minimum size of the markers, in pixels. |
| mapping.markerLayer.markerMaxSize | Number | 50
|
The maximum size of the markers, in pixels. |
| mapping.seriesColors | hexvalue, . . . | Default*
|
A list of hexadecimal color values (0xRRGGBB) from which to sample colors for series with no specific colors assigned using the fieldColors property. |
| mapping.showTiles | boolean | true | Determines whether the map tiles are shown. |
| mapping.tileLayer.tileOpacity | text | 1 | Specifies the opacity of the tiles. Values can range from 0 (transparent) to 1 (opaque). |
| mapping.tileLayer.url | URL template | See description
|
The URL to use for requesting tiles, based on the following template:
http://(s).tile.openstreetmap.org/(z)/(x)/(y).png |
| mapping.tileLayer.subdomains | [string,. . .] | [a,b,c]
|
A list of subdomains to distribute tile requests over. More subdomains allows more tiles to be requested simultaneously.
See example below. |
| mapping.tileLayer.minZoom | Integer | 0
|
The minimum zoom level of the tileset. |
| mapping.tileLayer.maxZoom | Integer | 7
|
The maximum zoom level of the tileset.
Use any non-negative integer to specify the maximum zoom level. |
| mapping.tileLayer.invertY | Boolean | False
|
Whether to invert the y coordinate for tile requests. TMS servers use inverse y-axis numbering. |
| mapping.tileLayer.attribution | String | See description
|
A copyright attribution to be displayed in the bottom right corner of the map. The default value:
Map data (c) 2012 OpenStreetMap contributors, CC-BY-SA. See example below. |
| mapping.type | ("marker" | "choropleth") | See description | The type of map to render. Allowed values are "marker" and "choropleth". Default is "marker". |
| refresh.auto.interval (Deprecated) | Number | 0
|
Deprecated. Use the refresh attribute to specify a dashboard or search refresh interval.
|
| refresh.time.visible | Boolean | true
|
Display the refresh time indicator in the panel. |
| refresh.link.visible | Boolean | true
|
Display the refresh link in the panel. |
* Default value for mapping.seriesColors:
[0x6CB8CA,0xFAC61D,0xD85E3D,0x956E96,0xF7912C,0x9AC23C,0x5479AF,0x999755,0xDD87B0,0x65AA82, 0xA7D4DF,0xFCDD77,0xE89E8B,0xBFA8C0,0xFABD80,0xC2DA8A,0x98AFCF,0xC2C199,0xEBB7D0,0xA3CCB4, 0x416E79,0x967711,0x823825,0x59425A,0x94571A,0x5C7424,0x324969,0x5C5B33,0x85516A,0x3D664E]
Choropleth map options
| Name | Type | Default | Description |
|---|---|---|---|
| mapping.choroplethLayer.colorBins |
integer | 5 | Specifies the number of color bins to use. |
| mapping.choroplethLayer.colorMode |
"sequential" | "divergent" | "categorical") | 'auto' | Specifies the color mode to use for the choropleth shapes. Possible modes are 'sequential', 'divergent', or 'categorical'. |
| mapping.choroplethLayer.maximumColor |
text | DB5800 | Specifies the color to use for the highest value shapes. |
| mapping.choroplethLayer.minimumColor |
text | 2F25BA | Only used when the color mode is divergent. The color to use for the lowest value shapes. |
| mapping.choroplethLayer.neutralPoint |
text | 0 | Only used when the color mode is divergent. The value where the color palette should switch from using the minimum color to the maximum color. |
| mapping.choroplethLayer.shapeOpacity |
Specifies the opacity of the shapes. Values can range from 0 (transparent) to 1 (opaque). | text | 0.75 |
| mapping.choroplethLayer.showBorder |
Boolean | true | Specifies whether to show borders around each shape. |
| mapping.showTiles | Boolean | true | Determines whether the map tiles are shown. |
| mapping.tileLayer.tileOpacity | text | 1 | Specifies the opacity of the tiles. Values can range from 0 (transparent) to 1 (opaque). |
mapping.data.maxClusters example
The following example sets the maximum number of clusters to 250:
<map> <option name="mapping.data.maxClusters">250</option> </map>
mapping.fieldColors and mapping.seriesColors example
The following example configures the "foo" and "bar" fields to be red (0xFF0000) and green (0x00FF00), respectively, and configures all other fields to be blue (0x0000FF):
<map>
<option name="mapping.fieldColors">{foo:0xFF0000,bar:0x00FF00}</option>
<option name="mapping.seriesColors">[0x0000FF]</option>
</map>
mapping.map.fitBounds example
The following example initializes the map view to a boundary around San Francisco:
<map>
<option name="mapping.map.fitBounds">
(37.5,-123,38,-122)
</option>
</map>
mapping.tileLayer.* example
The following example configures the client to request tiles from openstreetmap.org (this is the default configuration):
<map>
<option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
<option name="mapping.tileLayer.subdomains">[a,b,c]</option>
<option name="mapping.tileLayer.maxZoom">18</option>
<option name="mapping.tileLayer.attribution">
Map data (c) 2012 OpenStreetMap contributors, CC-BY-SA.
</option>
</map>
map example, using foursquare data
This example assumes you are indexing foursquare data as source foursquare. It produces the map depicted below.
<map>
<title>Roma</title>
<search>
sourcetype=foursquare
| geostats latfield=checkin.geolat longfield=checkin.geolong count by checkin.user.gender
</search>
<option name="mapping.data.maxClusters">500</option>
<option name="mapping.markerLayer.markerMaxSize">20</option>
<option name="mapping.map.fitBounds">(41.3,12.7,41.5,12.8)</option>
<option name="mapping.seriesColors">[0x0060DD]</option>
<option name="mapping.map.zoom">4</option>
</map>
single
Element for a single value visualization. This visualization type shows results for a search returning a single discrete value.
If you specify a search that returns multiple values, the single value panel displays the value from either the first row or first column of returned search data.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this panel.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for the visualization.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | Comma-separated list of tokens |
Prevent visualization rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. |
Parent elements
<row><panel>
Element structure
<single>
<title> (0..1)
<search> (0..1)
<earliest> (0..1)
<latest> (0..1)
<option name="[property]"> (0..n)
Options
| Property | Type | Default | Description |
|---|---|---|---|
| additionalClass | CSS class name | Deprecated. Use the Format menu in Splunk Web to configure single value visualization ranges and color mapping. | |
| afterLabel | string | Deprecated. Use underLabel for a descriptive caption. | |
| beforeLabel | string | Deprecated. Use underLabel for a descriptive caption. | |
| classField | (classname | severe | high | elevated | guarded | low | None) | Deprecated. Use the Format menu in Splunk Web or combine the colorBy, rangeValues, and rangeColors Simple XML options to configure ranges and colors. | |
| colorBy | ("trend" | "value") | '"value" | Specifies whether all single value components are colored by delta value's color ("trend"), or by value's severity color ("value"). The only available colors are red, green, and black. By default, or if trendColorInterpretation is set to "standard", a positive trend color is green, a 0 trend value is black, and a negative trend value is red. If trendColorInterpretation is set to "inverse", then a positive trend is red, negative is green. |
| colorMode | ("block" | "none") | "none" | Specifies what part of the visualization shows range color. block: Background displays the range color with white text. none: White background. Text displays the range color. |
| drilldown | (all | none) | none
|
all: Drilldown enabled. none: Drilldown disabled. This option applies to the |
| field | field name | First field returned
|
The field to display |
| height | integer | 115 | Determines the single value's height in pixels. |
| link.exportResults.visible | boolean | (See description)
|
Show the Export button at the bottom of the panel.
Default value: The value of link.visible. |
| link.inspectSearch.visible | boolean | (See description)
|
Show the Inspect button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openPivot.visible | boolean | (See description)
|
Show the Open in Pivot button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openSearch.search | search string | —
|
Indicate a non-default search string to use when users click the "Open in Search" button. |
| link.openSearch.searchEarliestTime | (time modifier) | (See description)
|
The earliest time to use for the alternative search specified by link.openSearch.search.
Default value: The earliest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.searchLatestTime | (time modifier) | (See description)
|
The latest time to use for the alternative search specified by link.openSearch.search.
Default value: The latest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.text | text | Open in Search
|
Label for the "Open in Search" button. |
| link.openSearch.viewTarget | view name | Search
|
Target view for the "Open in Search" button. |
| link.openSearch.visible | boolean | (See description)
|
Show the "Open in Search" button at the bottom of the panel.
Default value: The value of link.visible |
| link.visible | boolean | true
|
Show link buttons at the bottom of the panel. |
| linkFields | (result | beforelabel | afterlabel | underlabel) Comma-separated list |
result
|
Deprecated |
| linkSearch | search string | Deprecated | |
| linkView | view name | (See description)
|
Deprecated |
| numberPrecision | string | "0" | Specifies how many decimal places to display. For decimal precision, indicate the number of places using 0. followed by up to four zeroes. For example, "0.0" or "0.00".
|
| rangeColors | text | Defaults to standard rangemap severities (severe: red | high: orange | elevated: yellow | guarded: blue | low: green) | A string array that specifies the hex values for viz coloring in range order. The values map to each of the rangeValue ranges. The hex value format should be either '0xFFFFFF' or 'FFFFFF'. If there are more rangeColor hex values than ranges, excess rangeColor values at end of array will be ignored. If there are more rangeValues than rangeColors, then excess rangeValues appear dark gray if metric falls within that range.
You can specify any number of colors. |
| rangeValues | numeric array | no default
|
A numeric array that specifies the range limits for viz coloring. If there are more rangeColor hex values than ranges, excess rangeColor values at end of array will be ignored. If there are more rangeValues than rangeColors, then excess rangeValues appear dark gray if metric falls within that range.
Use the |
| refresh.auto.interval | integer | 0
|
Deprecated. Use the refresh attribute to specify a dashboard or search refresh interval.
|
| refresh.time.visible | boolean | true
|
Display the refresh time indicator in the panel. |
| refresh.link.visible | boolean | false
|
Display the refresh link in the panel. |
| showSparkline | boolean | true
|
Specifies whether the single value hides its sparkline, if available.
A sparkline is available for searches that use the |
| showTrendIndicator | boolean | true
|
Specifies whether the single value hides its delta value, if available. |
| trendColorInterpretation | ("standard" | "inverse")
|
"standard" | Specifies whether a field value greater than 0 is a positive (standard) or negative (inverse) development. |
| trendDisplayMode | ("percent" | "absolute")
|
"absolute" | Specifies whether the delta amount is displayed as a percentage or an absolute count. |
| trendInterval | text | "auto" | Specifies time range in the past from which to calculate a delta from the most recent data point in the same metric. Use the search syntax for time modifiers to indicate the range. For more information, see Specify time modifiers in your search in the Search Manual. |
| underLabel | string |
Caption for the visualization. | |
| unit | string | Measurement unit for the single value. Use a short string, such as "$" or "days". Use underLabel to add a descriptive caption. | |
| unitPosition | before or after
|
Position for the unit, relative to the single value. Use either before or after to place the unit before or after the single value.
| |
| useColors | boolean | false | Specifies whether all single value components are colored. Must be set to true for text coloring and color options availability. |
| useThousandSeparators | boolean | true | Specifies whether to format the result value with thousand separators. |
table
A panel displaying search data as a table.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| depends | Comma-separated list of tokens |
All tokens from the list of tokens must be defined to render this panel.
Tokens can be from the context of form inputs or from the context of in-page drilldown. | |
| id | Text (minimum two characters) | Identifier for the visualization.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| rejects | comma-separated list of tokens |
Prevent visualization rendering if one or more tokens in this list are defined.
Tokens can be from the context of form inputs or from the context of in-page drilldown. |
Parent elements
<row>
<panel>
<table>
<title> (0..1)
<search> (0..1)
<earliest> (0..1)
<latest> (0..1)
<fields> (0..1)
<drilldown> (0..n)
<format type="sparkline" field="[field name]"> (0..n)
<option name="[property]"> (0..n)
Child element
| element | Type | Default | Description |
|---|---|---|---|
| <format> | text | A set of formatting options that determines how sparklines display in tables.
See Sparkline options for details. |
Options
| property | Type | Default | Description |
|---|---|---|---|
| count | Integer | 10
|
The maximum number of rows to display. |
| dataOverlayMode | (heatmap | highlow) | None
|
Indicates which type of overlay to display. |
| displayRowNumbers | Boolean | True
|
(Deprecated) Use the rowNumbers attribute. |
| drilldown | (all | cell | row | none | off) | cell
|
Enables drilldown on row or cell level, or disables drilldown.
all, cell: Enables drilldown. These two values are equivalent. Enables drilldown on the cell level. row: Enables drilldown for a row. none: Disables drilldown but preserves hypertext styling. off: Disables drilldown and removes hypertext styling |
| link.exportResults.visible | Boolean | (See description)
|
Show the Export button at the bottom of the panel.
Default value: The value of link.visible. |
| link.inspectSearch.visible | Boolean | (See description)
|
Show the Inspect button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openPivot.visible | Boolean | (See description)
|
Show the open in Pivot button at the bottom of the panel.
Default value: The value of link.visible. |
| link.openSearch.search | search string | —
|
The alternative search to use for the Open in Search button. |
| link.openSearch.searchEarliestTime | (time modifier) | (See description)
|
The earliest time to use for the alternative search specified by link.openSearch.search.
Default value: The earliest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.searchLatestTime | (time modifier) | (See description)
|
The latest time to use for the alternative search specified by link.openSearch.search.
Default value: The latest time used by the panel. Specify the time using time modifiers. See Specify time modifiers in your search for information on specifying time modifiers. |
| link.openSearch.text | text | Open in Search
|
The label to use for the Open in Search button. |
| link.openSearch.viewTarget | View name | Search
|
The target view for the Open in Search button. |
| link.openSearch.visible | Boolean | (See description)
|
Show the Open in Search button at the bottom of the panel.
Default value: The value of link.visible |
| link.visible | Boolean | true
|
Show link buttons at the bottom of the panel. |
| percentagesRow | Boolean | false
|
Add a percentages summary row to the table. |
| previewResults | Boolean | True
|
*Note: This option is deprecated. Enable preview of results before the search is complete. |
| refresh.auto.interval (Deprecated) | Number | 0
|
Deprecated. Use the refresh attribute to specify a dashboard or search refresh interval.
|
| refresh.time.visible | Boolean | true
|
Display the refresh time indicator in the panel. |
| refresh.link.visible | Boolean | true
|
Display the refresh link in the panel. |
| rowNumbers | Boolean | False
|
Toggle display of row numbers. |
| showPager | Boolean | True
|
Toggle pagination on or off. |
| totalsRow | Boolean | false
|
Add a column totals summary row to the table. |
| wrap | Boolean | True
|
Enable wrapping of text in the results table. |
Example
Example of a table panel using an inline search, displaying five rows, and disabling row numbers:
<dashboard>
<label>Dashboard with Table</label>
<row>
<panel>
<table>
<title>Top source types in the last 24 hours</title>
<search>
<query>
index=_internal group=per_sourcetype_thruput
| chart sum(kb) by series | sort -sum(kb)
</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
<option name="count">5</option>
<option name="rowNumbers">0</option>
</table>
</panel>
</row>
</dashboard>
title
Specifies text for the title of a <panel> element or the title for visualization elements.
Attributes
No attributes for <title>
Parent elements
<panel>
<chart> | <event> | <html> | <map> | <single> | <table>
<panel>
<title> (0..1) <!-- Title at panel level -->
<chart> | <event> | <html> | <map> | <single> | <table> (1..n)
<title> (0..1) <!-- Title at visualization level -->
Examples
Specify a title for the <panel> containing a <table> visualization:
<panel>
<title>Top sourcetypes in the last 24 hours</title>
<table>
<search>
<query>
index=_internal group=per_sourcetype_thruput
| chart su(kb) by series | sort -sum(kb)
</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
<option name="count">5</option>
<option name="rowNumbers">0</option>
</table>
</panel>
Specify a title for the <table> visualization:
<panel>
<table>
<title>Top sourcetypes in the last 24 hours</title>
<search>
<query>
index=_internal group=per_sourcetype_thruput
| chart su(kb) by series | sort -sum(kb)
</query>
<earliest>-24h</earliest>
<latest>now</latest>
</search>
<option name="count">5</option>
<option name="rowNumbers">0</option>
</table>
</panel>
Sparkline options
Note: for sparklines with single value visualizations, see the "<single>" subheading in this topic.
<format type="sparkline" field="[field name]">
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| field | Field name | Required. Specifies the field to which the sparkline is applied. | |
| type | String | sparkline
|
Required. sparkline is the only type supported. Specifies that a sparkline is being formated.
|
A set of formatting options that determines how sparklines display in tables. Sparkline options are only applicable to the <table> element. Specify a sparkline option using the <format> element within a <table> element.
Do not confuse the sparkline options here, which format a sparkline, with the sparkline function to the chart or stats search command. The formatting options listed here require a search that uses the sparkline() function. See Add sparklines to search results for information on implementing sparklines.
Caution: The sparkline options listed in this reference do not render when generating a PDF of a dashboard. Only the sparkline itself renders.
Parent elements
<table>
<table>
<format type="sparkline" field=["field name]"> (0..n)
<option name="[property name]"> (0..n)
Common options
| Property | Type | Default | Description |
|---|---|---|---|
| chartRangeMax | Number | n/a | Specify an alternate maximum sparkline range value. |
| chartRangeMin | Number | n/a | Specify an alternate minimum sparkline range value. |
| height | CSS style | auto
|
Height of the chart. Specify any valid CSS width (for example, 1.5em, 20px). |
| tooltipPrefix | text | Text to place before each field displayed in a tooltip. | |
| tooltipSuffix | text | Text to append to each field displayed in a tooltip. | |
| type | (bar | discrete | line) | line
|
Specifies the type of sparkline |
Options for bar charts
| Property | Type | Default | Description |
|---|---|---|---|
| barSpacing | Number | Space between each bar, in pixels. | |
| barWidth | Number | Width of each bar, in pixels. | |
| colorMap | See description | Range map to map specific values to selected colors. |
For example if you want all values of -2 to appear yellow, use colorMap: { '-2': '#ff0' }.
You can pass an array of values here instead of a mapping to specifiy a color for each individual bar. For example if your chart has three values 1,3,1 you can set colorMap=["red", "green", "blue"].
Options for discrete charts
| Property | Type | Default | Description |
|---|---|---|---|
| lineColor | CSS style | Used by line and discrete charts to specify the color of the line drawn as a CSS values string | |
| lineHeight | Number | 30% of graph height
|
Height of each line, in pixels. |
| thresholdColor | CSS color | CSS color to use in combination with thresholdValue. | |
| thresholdValue | CSS color | Draw values less than this using thresholdColor instead of lineColor |
Options for line charts
| Property | Type | Default | Description |
|---|---|---|---|
| fillColor | CSS color | false | Specify the color to fill the area under the graph as a CSS value. Set to false to disable fill. | |
| highlightLineColor | CSS color | #f22
|
CSS color for the vertical line that appears through a value when moused over.
Set to null to disable. |
| highlightSpotColor | CSS color | #f5f
|
Color for the spot that appears on a value when moused over.
Set to null to disable. |
| lineColor | CSS style | Used by line and discrete charts to specify the color of the line drawn as a CSS values string | |
| lineWidth | Number | 1
|
line width, In pixels. |
| maxSpotColor | CSS color | CSS color of the marker displayed for the maximum value.
Set to false or an empty string to hide it. | |
| minSpotColor | CSS color | CSS color of the marker displayed for the minimum value.
Set to false or an empty string to hide it. | |
| normalRangeMax | range (see description) | With normalRangeMin, threshold values between which to draw a bar to denote the "normal" or expected range of values.
For example the green (normal) bar in this range 80,85,84,88,98,114,116,104,95,85,84 might denote a normal operating temperature range. | |
| normalRangeMin | range (see description)
|
With normalRangeMax, threshold values between which to draw a bar to denote the "normal" or expected range of values.
For example the green (normal) bar in this range 80,85,84,88,98,114,116,104,95,85,84 might denote a normal operating temperature range. | |
| spotColor | CSS color | CSS color of the final value marker.
Set to false or an empty string to hide it. | |
| spotRadius | Number | 1.5
|
Radius, in pixels, of all spot markers. |
| valueSpots | range (see description) | Points on which to draw spots, and with which color. Accepts a range.
For example, to render green spots on all values less than 50 and red on values higher use {':49': 'green, '50:': 'red'} | |
| width | CSS style | auto
|
Width of the chart. Specify any valid CSS width (for example, 1.5em, 20px). This option does apply to bar and tristate type sparklines. |
Example
Sparkline of type bar with a color map:
<dashboard>
<label>Sparkline Example</label>
<row>
<panel>
<table>
<title>Basic Sparkline Bar w/ Color Map</title>
<!-- Set span for each sparkline datapoint to be 1 hour -->
<search>
<query>
index=_internal | chart count sparkline(count, 1h) as trend by sourcetype | sort -count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">3</option>
<!-- Set sparkline options here; make sure that field matches field name of the search results -->
<format type="sparkline" field="trend">
<option name="type">bar</option>
<option name="height">40</option>
<!-- Use colorMap to map specific values to selected colors -->
<option name="colorMap">
<option name="2000:">#5379AF</option>
<option name=":1999">#9ac23c</option>
</option>
<option name="barWidth">5px</option>
</format>
</table>
</panel>
</row>
</dashboard>
fields
Comma-separated list of fields. Use the <fields> element to restrict searches to these fields.
Fields determine the columns in a table. Field names and values appear with each event in a list. The order of the fields in the comma-separated list determines the order of the columns in the table or event listing.
Parent elements
<event> <table>
<event> | <table> <fields> (0..1)
Example
Restrict the results of the search to the following fields:
_time, splunkd, splunk_web_access, splunk_web_service
<dashboard>
<label>Fields Example</label>
<row>
<panel>
<table>
<search>
<query>
index=_internal | timechart count by sourcetype
</query>
<earliest>-7d@d</earliest>
<latest>now</latest>
</search>
<fields>_time, splunkd, splunk_web_access, splunk_web_service</fields>
<option name="rowNumbers">0</option>
</table>
</panel>
</row>
</dashboard>
option
The <option> tag applies a specific property to an element, such as a panel element. Use the name attribute to specify the property.
Typically, named options apply to a specific panel. However some options can be applied to more than one panel.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| name | Property name (Required) | Specifies the name of the specific property. The allowed values for <option> depends on the named property. Refer to the reference entry for each panel to see a list of named options and the allowed values. |
Parent elements
<chart> <event> <single> <table>
<chart> | <event> | <html> | <single> | <table> . . . <option name="[property]">[option value]</option> (0..n)
Example
<table>
<title>Top sourcetypes in the last 24 hours</title>
<search>
index=_internal group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb)
</search>
<earliestTime>-1d</earliestTime>
<latestTime>now</latestTime>
<option name="count">5</option>
<option name="rowNumbers">0</option>
</table>
search element
Use the search element to create searches for <dashboard>, <form>, and panel visualization elements. You also use the search element to populate choices for form inputs.
search
Defines a search for a dashboard, form, or panel. For form inputs, defines dynamic choices for the inputs.
- Inline search: A search specified in a visualization. Use the
<query>element to specify an inline search. - Reports: A search referenced from a report. Use the
refattribute to reference a report. The panel contains a visualization that is based on both the search and visualization from the referenced report. You cannot modify the search but you can change and configure the visualization for the search results. If the search in the report changes, the panel based on that report updates to include the changes. - Populating search for input: A search that populates choice for a form input. Use
searchas a child element of a form input to populate choices for checkbox, dropdown, multiselect, and radio inputs. The populating search uses the form input child elements,<fieldForLabel>and<fieldForValue>, to populate the choices. Do not use real-time searches for populating searches. The input choices do not update correctly when using a real-time search. - Global searches: A search from the
<dashboard>or<form>context is a global search. Use a global search as the base search for post-process searches. A global search should always have anidattribute that a post-process search can reference. - Post-process searches: A search that further modifies results from a base search. Use the
baseandidattributes to implement post-process searches. A post-process search uses thebaseattribute to reference theidattribute of the base search. The base search can be a global search or a search at the panel level. Specify<earliest>and<latest>elements with the base search. The post-process search ignores<earliest>and<latest>elements that are child elements to the post-process search.
- Caution: Passing a large number of search results from a base search can cause a server time out. In this scenario, consider reducing the following.
- The number of results and fields returned from the base search.
- The complexity of the post-process operations on these results.
- For more information on post-process searches, see Post-process searches in this manual.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| app | text | The name of an app.
Use the | |
| base | text | A reference to a base search by a post-process search.
Reference a base search in the current dashboard by the | |
| id | Text (minimum two characters) | Identifier for a search. A post-process search references a base search by this identifier.
Only alphanumeric and underscore characters are valid. Cannot begin with a number or the underscore character. The following terms are reserved for internal use and cannot be used for an
| |
| ref | text | Reference to a report containing a search.
If you are referencing a report in another app, use the |
Parent elements
<form>
<dashboard>
<panel>
<chart> <event> <map> <single> <table>
Child elements
| Element | Type | Default | Description |
|---|---|---|---|
| <cache> | For saved searches, use one of the following values.
|
scheduled
|
|
| <cancelled> | N/A | N/A | Execute actions when a search is cancelled. |
| <done> | N/A | N/A | Execute actions based on finished search events. Includes job properties and first result row. |
| <error> | N/A | N/A | Execute actions when there is a search error event, such as an invalid query. |
| <earliest> and <latest> | text | Optional time expressions that specify the earliest and latest time parameters for a search. Post-process searches ignore child <earliest> and <latest> elements. Instead, the <earliest> and <latest> elements from the base search are used.You can specify the time as relative time or absolute time. For relative time, use relative time modifiers, as described in Specify relative time ranges in your search in the Search Manual. For absolute time, specify the time in UNIX epoch time format. Note: UNIX epoch time format for absolute time in Simple XML is different from the SPL absolute time format used in queries. | |
| <progress> | Execute an action on search progress events. Access job properties and the first results row. | ||
| <query> | text | Search string for the query. | |
| <refresh> | Integer or relative time expression | No refresh | Indicate a delay or interval time for inline or saved searches. This setting does not apply to post-process searches, which refresh automatically when their base search refreshes. Integers are handled as seconds. Use SPL syntax for relative time expressions. For example, 1h5m or 5m.Use the <refreshType> setting to specify refresh behavior in relation to search completion or dispatch. You can use the <refresh.display> setting in a visualization to specify a refresh progress indicator.
|
| <refreshType> | interval or delay
|
delay
|
Indicate the starting time for counting down to a refresh. Use delay to start counting when the search is done. Use interval to count down when the search is dispatched. If the runtime of the search is longer than the configured time, the search job is cancelled and a new job is dispatched.
|
| <sampleRatio> | number | Event sampling ratio. To learn more, see Event sampling with reports and dashboard panels in the Search Manual. |
Base search from inline search
<search id=[base ID]> <query>[search string]</query> (1) <earliest> (0..1) <latest> (0..1)
Base search from report
<search id=[base ID] [ref=[report name]]> <earliest> (0..1) <latest> (0..1)
Post-process search
<search base=[base ID]> (0..n) <query>[post-process search string]</query> (1)
Examples
- Dashboard with base search and two post-process searches.*
<dashboard>
<label>Dashboard with post-process search</label>
<description></description>
<!-- Example uses stats transforming command -->
<!-- This limits events passed to post-process search -->
<search id="baseSearch">
<query>
index=_internal source=*splunkd.log | stats count by component, log_level
</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<title>Event count by log level</title>
<!-- post-process search -->
<search base="baseSearch">
<query>
stats sum(count) AS count by log_level
</query>
</search>
</chart>
</panel>
<panel>
<chart>
<title>Error count by component</title>
<!-- post-process search -->
<search base="baseSearch">
<query>
search log_level=error | stats sum(count) AS count by component
</query>
</search>
<option name="charting.chart">bar</option>
</chart>
</panel>
</row>
</dashboard>
- Dashboard with empty post-process search.*
<dashboard>
<label>Dashboard with empty post-process search</label>
<description></description>
<!-- Example uses stats transforming command -->
<!-- This limits events passed to post-process search -->
<search id="baseSearch">
<query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<title>Count by component, log level (from post-process search)</title>
<!-- post-process search -->
<search base="baseSearch">
<query>stats sum(count) AS count by log_level</query>
</search>
<option name="charting.axisY.scale">log</option>
</chart>
</panel>
<panel>
<chart>
<title>Count by component (from base search)</title>
<!-- empty post-process search -->
<search base="baseSearch" />
<option name="charting.chart">bar</option>
</chart>
</panel>
</row>
</dashboard>
Drilldown elements
drilldown
Define custom destinations to link to when a user clicks on fields in a dashboard or form.
- Specify a path to the destination using the
<link>tag. - Set or unset tokens using the
<set>or<unset>tags. - Specify a condition for setting or unsetting tokens.
Note: You can specify one or more actions (<link>, <set>, <unset>) or conditions (<condition>) directly within <drilldown>, but you cannot specify both actions and conditions.
For details see Dynamic drilldown in dashboards and forms.
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| target | text | —
|
Corresponds to the target attribute of the <a> HTTP tag.
Specify "_blank" to open the drilldown in a new window. Specify "_self" to open the drilldown in the same window. Specify an arbitrary string to open the drilldown in a new window. Subsequent references to this target open in this window. |
Parent elements
<chart> <event> <map> <single> <table>
<drilldown> ( <link> | <set> | <unset> ) (1..n) | <condition> (1..n)
Example 1: Pass a value to a form
<table> <search>index=_internal</search> <!-- Pass the clicked row's 'count'-column value --> <!-- to populate a destination form's 'foo' token. --> <drilldown> <link> /app/search/simple_xml_form?form.foo=$row.count$ </link> </drilldown> </table>
Example 2: Pass parameters to a form
<table>
<search>index=_internal</search>
<!-- Pass the clicked cell's value, earliest time, -->
<!-- and latest time to a destination form's -->
<!-- token ('foo') and search parameters -->
<drilldown>
<link>
<![CDATA[
/app/search/simple_xml_form?form.foo=$click.value2$&earliest=$earliest$&latest=$latest$
]]>
</link>
</drilldown>
</table>
Example 3: Pass a value from a chart to a website
<chart>
<search>
index=_internal | chart count by sourcetype
</search>
<option name="charting.chart">column</option>
<!-- $click.value$ captures the value clicked by the user -->
<!-- From the x-axis of a column chart and passes -->
<!-- it to the website as a query parameter -->
<drilldown>
<link>
http://splunk-base.splunk.com/integrated_search/?q=$click.value$
</link>
</drilldown>
</chart>
condition (drilldown)
Limits the scope of drilldown actions to clicks on specific fields. If the <condition> element is not present, then drilldown actions apply to all fields.
Note: The <condition> element applies to both input elements and drilldown elements. See <condition> (input) for details.
Parent element
<drilldown>
<condition> (<link> | <set> | <unset>) (1..n)
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| field | text | *
|
Specifies the search field on which to implement the drilldown, or to set or unset a token. |
| label | text | *
|
Input context only. Specifies the input <label> element to which the condition applies.
' |
| value | text | *
|
Input context only. Specifies the input <value> element to which the condition applies.
' |
Example
See the example for <set> for using the <condition> tag to set a token for in-page drilldown.
See the example for <unset> for using multiple <condition> tags.
selection
Sets the time window for the pan and zoom feature of charts. You can also use tokens to set other values, such as the numerical values of the x-axis in a chart.
Only applies to charts of type area, column, or line.
See Chart controls for details on the pan and zoom feature of charts.
Parent elements
<chart>
<option name="charting.chart">area</option>
| <option name="charting.chart">column</option>
| <option name="charting.chart">line</option>
Use pre-defined tokens to capture the earliest and latest time of the time window and the earliest and latest values within that time window for a field.
For example:
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
<set token="start.[fieldname]">$start.[fieldname]$</set>
<set token="end.[fieldname]">$end.[fieldname]$</set>
</selection>
Can also be used to set a drilldown link.
<selection>
<link>
Attributes
No attributes for this element.
Example
A selection on the left chart zooms into the right chart with details for the selected area.
<dashboard>
<label>Pan and Zoom</label>
<row>
<panel>
<chart>
<title>Pan and Zoom (All source types)</title>
<search>
<query>
index=_internal | timechart count by sourcetype
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.chart">line</option>
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
<set token="start.splunk_web_access">$start.splunk_web_access$</set>
<set token="end.splunk_web_access">$end.splunk_web_access$</set>
</selection>
<option name="charting.axisTitleX.text">Last 7 Days</option>
</chart>
</panel>
<panel>
<chart>
<title>Pan and Zoom (Web access source type)</title>
<search>
<query>
index=_internal sourcetype=splunk_web_access
| timechart count by sourcetype
</query>
<earliest>$selection.earliest$</earliest>
<latest>$selection.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.legend.placement">none</option>
<option name="charting.legend.masterLegend">null</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisTitleX.text">Selected Time Range</option>
</chart>
</panel>
</row>
<row>
<panel>
<html>
<h3>Token values for the splunk_web_access selection</h3>
<table border="0" cellpadding="12" cellspacing="0">
<tr>
<td>
<p><b>Time range (epoch time)</b></p>
<p>
<b>$$selection.earliest$$</b>: $selection.earliest$<br/>
<b>$$selection.latest$$</b>: $selection.latest$
</p>
</td>
<td>
<p><b>Count at the begining and end of time range.</b></p>
<p>
<b>$$start.splunk_web_access$$</b>: $start.splunk_web_access$<br/>
<b>$$end.splunk_web_access$$</b>: $end.splunk_web_access$</p>
</td>
</tr>
</table>
</html>
</panel>
</row>
</dashboard>
Drilldown event tokens
For dynamic drilldown, these are the event tokens, and their values, that are available for each type of visualization.
chart (event tokens)
The clicked field name is the name of the field or series for the y-Axis if present (similar to click.name2). If the name of the field or series is not available the field or category for the x-axis is used (click.name).
| Data Property | Description |
|---|---|
| click.name | Name of the field or category for the x-axis. Not available when the legend has been clicked. |
| click.value | Value of the field or category for the x-axis. Not available when the legend has been clicked. |
| click.name2 | Name of the field or series for the y-axis. |
| click.value2 | Value of the field or series for the y-axis. Not available when the legend has been clicked. |
| row.<fieldname> | Any field values along the y-axis at the same point as the click on the x-axis. Not available when the legend has been clicked. |
| row.<x-axis-name> | Value of the x-axis. Not available when the legend has been clicked. |
| earliest/latest | Time range of the clicked chart segment, or if not applicable, the time range of the search. |
event (event tokens)
The value for click.name depends on the context of the click, as described below:
| Data Property | Description |
|---|---|
| click.name | The field name associated with the click.
For cases in the event viewer where the field name is ambiguous:
|
| click.value | Value associated with the click. |
| click.name2 | Identical to click.name.
|
| click.value2 | Identical to click.value.
|
| row.<fieldname> | Exposes each field value as row.<fieldname>. |
| earliest/latest | Time range of the clicked event, which is:
|
map (event tokens)
The field for the <condition> tag in dynamic drilldown always corresponds to click.name.
| Data Property | Description |
|---|---|
| click.name | Name of the first, or only field, that displays the marker. |
| click.value | Value of the first, or only field, that displays the marker. |
| click.name2 | Same as click.name. |
| click.value2 | Same as click.value |
| click.lat.name | For cluster maps: latitude field name for the clicked location. |
| click.lat.value | For cluster maps: latitude field value for the clicked location. |
| click.lon.name | For cluster maps: longitude field name for the clicked location. |
| click.lon.value | For cluster maps: longitude field value for the clicked location. |
| click.bounds.<orientation> | For cluster maps: south, west, north, or east outer boundary for the clicked location. For example, use $click.bounds.east$ to get the eastern outer boundary.
|
| row.<fieldname> | Each field value of the clicked marker is exposed in this form. |
| earliest/latest | Time range of the search driving the map visualization. |
single (event tokens)
The field for the <condition> tag in dynamic drilldown always corresponds to click.name.
| Data Property | Description |
|---|---|
| click.name | Name of the field that is displayed by the single value visualization. |
| click.value | Value that is displayed by the single value visualization. |
| click.name2 | Same as click.name. |
| click.value2 | Same as click.value. |
| row.<fieldname> | Exposes each field in the same result row from which the single value is taken. |
| earliest/latest | Time range of the search driving the single value visualization. |
table (event tokens)
The field for the <condition> tag in dynamic drilldown always corresponds to click.name2.
| Data Property | Description |
|---|---|
| click.name | Name of the leftmost field that is displayed in the table. This is always _time, if present.
|
| click.value | Value of the left-most column in the clicked row. |
| click.name2 | Name of the clicked column. |
| click.value2 | Value of the clicked column. |
| row.<fieldname> | All field values for the clicked table row, including those fields that are not displayed. |
| earliest/latest | Time range of the clicked table row, or if not applicable, the time range of the search. |
Eval, Link, Set, and Unset
Set or update token values to create dynamic content or behavior changes. See also Token usage in dashboards to learn about using the <init> element to set tokens on page load.
eval
Add custom logic to a dashboard. See Custom logic for dashboard eval expressions for more information.
Parent elements
<drilldown><condition>
<search><condition>
<change><condition>
<drilldown>
<eval token="[token_name]">
<drilldown>
<condition>
<eval token="[token_name]">
<change>
<eval token="[token_name]">
<change>
<condition>
<eval token="[token_name]">
<search>
<condition>
<eval token="[token_name]">
<search>
<eval token="[token_name]">
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| token | text | None | Token whose value is the result of the <eval> expression. In an <eval> expression, you can use either $...$ delimiters or single quote delimiters for tokens. For example, both of the following options are valid.
|
Example This example uses <eval> to compute and display job duration in the dashboard.
<dashboard stylesheet="eval_tokens.css">
<label>Eval Tokens</label>
<row>
<panel>
<title></title>
<search id="search_logic">
<query>index=_internal | top sourcetype</query>
<earliest>0</earliest>
<latest>now</latest>
<progress>
<eval token="duration">tostring(tonumber($job.runDuration$),"duration")</eval>
</progress>
</search>
<chart>
<title>Top sourcetypes for index=_internal</title>
<search base="search_logic" />
<option name="charting.chart">bar</option>
</chart>
<html>
<h3>Duration</h3>
<div class="custom-result-value">$duration$</div>
</html>
</panel>
</row>
</dashboard>
link
Specifies a link to a destination for drilldown or for a selected input choice.
<link> can be a child tag of <change>, <drilldown>, search, or <condition>.
Use <link> as a child tag of <condition> when you want to configure distinct drilldown actions for specific fields or inputs. Otherwise, use <link> as a child tag of <change> or <drilldown>.
There are various ways to specify a destination for the drilldown using relative paths or a URL, as described below.
Parent elements
<drilldown><condition>
<search><condition>
<change><condition>
<drilldown>
<link>
<drilldown>
<condition>
<link>
<change>
<link>
<change>
<condition>
<link>
<search>
<condition>
<link>
<search>
<link>
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| field | Field name | Deprecated. Use <condition field="[field]"...>
(<drilldown> only) Specifies which values to capture in a table from the specified column or row. Cannot be specified together with the Although the field attribute is supported, Splunk recommends that you specify fields with the <condition> tag. | |
| series | Series name | Deprecated. Use <condition field="[field]"...>
(<drilldown> only) Specifies which values to capture in a chart from the specified series. Cannot be specified together with the Although the series attribute is supported, Splunk recommends that you specify series with the <condition> tag. | |
| target | text | —
|
Corresponds to the target attribute of the <a> HTTP tag. Specifying target for the <link> element overrides the value of target specified in the <drilldown> element.
Specify "_blank" to open the drilldown in a new window. Specify "_self" to open the drilldown in the same window. Specify an arbitrary string to open the drilldown in a new window. Subsequent references to this target open in this window. |
Parent element
<drilldown><condition>
1) <link> [viewname] </link> 2) <link> [path/viewname] </link> 3) <link> [path/viewname?form.token=$dest_value$] </link> 4) <link> [path/viewname?form.token=$dest_value$&earliest=$earliest$&latest=$latest$] </link> 5) <link> [URL?q=$dest_value$] </link>
- Use the specified view, which must be in the same path as the current dashboard.
- Relative path to connect to a dashboard.
- Relative path to connect to a form, passing in a token to populate the form.
- Pass in the earliest and latest time range from the original search.
(Requires use of CDATA to escape special characters.) - URL and query argument to pass a value to the destination page.
| Path values | Description |
|---|---|
| path | A path to the destination view from the current view. Typically, you specify path as: /app/app_name/
However, you can also specify a relative path, based on the app context of the source and destination views. |
| viewname | The name of the Splunk view you are using for a destination. |
| $dest_value$ | Specifies how to capture a value from a visualization. See Drilldown event tokens for details on each visualizaion. |
| URL | Specify a URL to a web page. Use the full address, including the protocol. For example: http://.
|
| q | When specifying a URL, use q to specify the value of dest_value in a query string to a web resource.
|
Example
Use <link> with conditional inputs to open a new page.
<form>
. . .
<fieldset>
<input type="dropdown" token="openNewPageToken">
<label></label>
<default>Select a page to open</default>
<choice value="">Select a page to open</choice>
<choice value="manager_page">View prebuilt panels</choice>
<choice value="splk_page">Open Splunk home page</choice>
<change>
<condition value="manager_page">
<link target="_blank">
/manager/search/data/ui/panels?ns=-&pwnr=-&search=&count=25
</link>
</condition>
<condition value="splk_page">
<link target="_blank">
http://splunk.com
</link>
</condition>
</change>
</input>
</fieldset>
. . .
</form>
set
Allows you to publish new global tokens that can be consumed by any other element or search within the dashboard. You typically publish tokens when using form inputs or when using drilldown.
For form inputs, specify tokens for actions to take for specific inputs.
For drilldown, specify the value to capture when clicked. The value can be set dynamically using a token.
For form inputs, <set> can be a child tag of <change> or <condition>. For drilldown, <set> can be a child tag of <drilldown> or <condition>.
Use <set> as a child tag of <condition> when you want to configure distinct actions for specific inputs or for fields for drilldown. Otherwise, use <set> as a child tag of <change> or <drilldown> to specify an action for all inputs or for all fields.
Parent elements
<change>
<drilldown>
<condition>
There are two ways to set a value of a token.
1. Use a template to combine input tokens and static portions to form the new token value. Templates let you reference multiple tokens when setting the value, and also specify quotes for the value using the |s token filter.
<set token="Token Name">sourcetype=$click.value|s$</set>
2. Use the prefix and suffix attributes to specify static portions for the input token. The following is equivalent to the template example above.
<set token="Token Name" prefix="sourcetype="" suffix=""">$click.value$</set>
Attributes
| Name | Type | Default | Description | |
|---|---|---|---|---|
| token | Token name | Required The name of the token to be consumed by the target visualization on the same page. | ||
| prefix | text | String to place before the value of the token. | ||
| suffix | text | String to append to the value of the token. |
Example
A click on the table sets a token which is consumed by the search of the chart visualization.
<dashboard>
<label>In-page Drilldown</label>
<row>
<panel>
<table>
<title>Set sourcetype token on click</title>
<search>
<query>
index=_internal | stats count by sourcetype
</query>
<earliest>-1h</earliest>
<latest>now</latest>
</search>
<drilldown>
<condition field="sourcetype">
<set token="sourcetype">$click.value2$</set>
</condition>
</drilldown>
</table>
<chart>
<title>Chart for $sourcetype$</title>
<search>
<query>
index=_internal sourcetype=$sourcetype$ | timechart count by sourcetype
</query>
<earliest>-1h</earliest>
<latest>now</latest>
</search>
</chart>
</panel>
</row>
</dashboard>
unset
Use <unset> to remove a token that was previously set.
Parent element
<change>
<condition>
<drilldown>
<condition>
<change>
<drilldown>
<unset token="Token Name">
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| token | Token name | Required The name of a token that was previously set, but to be ignored. |
Example
Use <set> and <unset> to define the visualization to use.
Use token definitions to hide a panel.
<dashboard>
<label>Example for <set> and <unset></label>
<row>
<panel>
<table>
<title>Set sourcetype token</title>
<search>
<query>
index=_internal | stats count by sourcetype
</query>
<earliest>-1h</earliest>
<latest>now</latest>
</search>
<drilldown>
<!-- For the sourcetype field clicked: -->
<!-- Set token to display a chart -->
<!-- Unset token to display a table -->
<condition field="sourcetype">
<set token="sourcetype">$row.sourcetype$</set>
<set token="showChart">foo</set>
<unset token="showTable"></unset>
</condition>
<!-- For any other field clicked: -->
<!-- Set token to display a table -->
<!-- Unset token to display a chart -->
<condition field="*">
<set token="sourcetype">$row.sourcetype$</set>
<set token="showTable">foo</set>
<unset token="showChart"></unset>
</condition>
</drilldown>
</table>
</panel>
<!-- Hide the html panel when either token is present -->
<!-- Click in the original table to set either token -->
<panel>
<html rejects="$showTable$, $showChart$">
<h2>Details</h2>
<div style="padding: 50px; margin: 0 auto; width: 350px;">
<div class="alert alert-warning">
<i class="icon-alert"/>
Click on a row in the table on the left to show details.
</div>
</div>
</html>
<!-- if showChart token is set, display results here -->
<chart depends="$showChart$">
<title>Details for $submitted:sourcetype|s$</title>
<search>
<query>
index=_internal sourcetype=$sourcetype|s$
| timechart count by sourcetype
</query>
<earliest>-1h</earliest>
<latest>now</latest>
</search>
</chart>
<!-- if showCTable token is set, display results here -->
<table depends="$showTable$">
<title>Details for $submitted:sourcetype|s$</title>
<search>
<query>
index=_internal sourcetype=$sourcetype|s$
| timechart bins=10 count by sourcetype
</query>
<earliest>-1h</earliest>
<latest>now</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</dashboard>
Deprecations and removals
Check the Deprecated features list in the Release Notes for information on deprecated or removed elements.
|
PREVIOUS Clone and manage dashboards |
NEXT Chart configuration reference |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7
Feedback submitted, thanks!