Splunk Dashboard 语法

Splunk Dashboard 数据展示，Demo

Splunk 搜索 相关SPL 语法

• 子查询，结果集格式化
• 去重
• 时间格式化
• 分页相关设置

查询分解

<query>
                source=demo_pardot_prospect_visit                     # 数据源来源
                    [                                                 # 子查询
                        search source=demo_pardot_prospect        
                        |table id email                               # 从结果中展示字段
                        | search email="$email$"                      # 从页面参数过滤
                        | fields id                               
                        | rename id as prospect_id                    # 重命明
                        |dedup prospect_id                            # 去除重复选项
                        | format "" "(" "" ")" "OR" ""                # 格式化，如果不存在值
                    ] 
                | table prospect_id craeted_at updated_at visitor_id  # 从以上来源 数据和唯一个表
                | sort updated_at                                     # 排序
              
  </query>

其他语法

          | eval tnow = now()           # 动态执行代码
          |  convert ctime(tnow)        # 格式化

分页参数

             <option name"count">20</option>
            <option name"dataOverlayMode">none</option>
            <option name"drilldown">cell</option>
            <option name"percentagesRow">false</option>
            <option name"rowNumbers">false</option>
            <option name"totalsRow">false</option>
            <option name"wrap">false</option>

示例

<form>
<label></label>
<fieldset submitButton="true" outoRun="true">
    <input type="text" token="email" searchEWhenChanged="false">
        <default>*</default>
        <label>email</label>
    </input>
    <input type="dropdown" token="product_line" searchWhenChanged="false">
        <default>*</default>
        <label>product_line</label>
        <choice value ="dropdown_product_line1">dropdown_product_line1</choice>
        <choice value ="dropdown_product_line2">dropdown_product_line2</choice>
    </input>
    <input type="time" token="global_time_input_tok" >
        <label></label>
        <default>
            <earliest>0</earliest>
            <latest></latest>
        </default>
    </input>
</fieldset>
<row>
    <panel>
        <table>
            <title></title>
            <search>
                <query>
                source=demo_pardot_prospect_visit    
                    [
                        search source=demo_pardot_prospect 
                        |table id email 
                        | search email="$email$" 
                        | fields id 
                        | rename id as prospect_id 
                        |dedup prospect_id 
                        | format "" "(" "" ")" "OR" "" 
                    ] 
                | table prospect_id craeted_at updated_at visitor_id 
                | sort updated_at
                </query>
                <earliest>$earliest$</earliest>
                <latest>$latest$</latest>
                <sampleRatio>1<sampleRatio>
            </search>
            <option name"count">20</option>
            <option name"dataOverlayMode">none</option>
            <option name"drilldown">cell</option>
            <option name"percentagesRow">false</option>
            <option name"rowNumbers">false</option>
            <option name"totalsRow">false</option>
            <option name"wrap">false</option>
            
        </table>
    </panel>
    <panel>
    .....
    </panel>
</row>