How to add filter specific to each column in SPLUNK dashboard

Question

I am creating a Dashboard from Splunk log

In this dashboard, I want to want to add the filter to each column. Just by writing into filter text box, data need to be filtered. something like this.

Here is source detail

<dashboard>
  <label>dataReportTable</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd source="D:\\Software\\var\\log\\splunk\\splunkd.log"|
dedup _time, message | table _time, message</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

score 0 · Answer 1 · answered May 13 '17 at 23:29

0

Like this:

| multisearch
    [ |makeresults | eval _time = "   Search Time", message = "   Search Message" ]
    [ YOUR ORIGINAL SEARCH HERE ]

If you need it to be tokenized, then like this:

| multisearch
    [ |makeresults | eval _time = "   " . $time_token$, message = "   " . $message_token$ ]
    [ YOUR ORIGINAL SEARCH HERE ]

answered May 13 '17 at 23:29

Gregg Woodcock

1
1

Sorry, doesn't work. Gives this error: `Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command)`. – Suraj Feb 18 '22 at 18:17

How to add filter specific to each column in SPLUNK dashboard

1 Answers1