Have you ever wanted to update the time range for all of the panels in a dashboard using a timechart selection? (See screenshot below)
 |
| Figure 1: Timechart selection to update earliest and latest variables |
This feat is possible using the smallest amount of code, but it is not the most intuitive process -- which makes it a perfect blog article to highlight this ability.
At first we thought this would be a drilldown feature and spent many precious minutes in the GUI editor. However, my sharp colleague Arjun Mathew pointed out an obscure docs article that contained information regarding "selection". Then we found this other more concise article on Chart Controls:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/Chartcontrols
How it works
As mentioned before, we do not believe this is exposed through the GUI, so you will need to use the simple XML editor. We are updating the dashboard code (first timechart panel) we provided in the 4740 account lockout article (http://securitysynapse.com/2018/08/troubleshooting-windows-account-lockout-part-i.html) to now possess this feature.Inside of the <chart> tags, we will add the following:
<selection>
<set token="form.time.earliest">$start$</set>
<set token="form.time.latest">$end$</set>
</selection>
This will now set the form.time.earliest and latest fields in that dashboard in real time. This controls all of the remaining panels in the 4740 dashboard and makes a perfect use case in which we may want to use a timechart to control the sub panels.
Conclusion
We hope by highlighting the selection tag that it gets more use in creating a better user experience. For right now, it is not controlled via the web UI editor, however as its popularity grows, this may change. Happy Splunking!
No comments:
Post a Comment