Hi,
My main goal is to build a Dashboard/Form that accepts a user input of a filename. The Dashboard/Form then filters through the logs to display the movement of a file across numerous processes, displaying the filename and the processors name it goes through.
Doing the initial search by filename and displaying the logs retrieved (including the processors name) is pretty straight forward (I did this using a Form to allow a user input.
The problem I'm having is that in some of the processes the files name gets changed. The following steps outline what's happening and what I'd like displayed (the Splunk filtering steps/methods are only suggestive). Bold line depicting what would be shown in the Dashboard/form.
- User inputs filename as "Filename1" and clicks search
- Splunk searches logs and starts displaying results in order of date/time. E.G:-
30 July 2013 1100 Process1 filename=Filename1
- Splunk checks log for new filname "False"
30 July 2013 1101 Process2 filename=Filename1
- Splunk checks log for new filname "False"
30 July 2013 1102 Process3 filename=Filename1 newFilename=Filename2
- Splunk checks log for new filname "True"
- Continue search with new filename and display logs relating to new filename
30 July 2013 1103 Process4 filename=Filename2
- Splunk checks log for new filname "False"
30 July 2013 1104 Process5 filename=Filename2 newFilename=Filename3
- Splunk checks log for new filname "True"
- Continue search with new filename and display logs relating to new filename
30 July 2013 1105 Process6 filename=Filename3
Sorry if it seems a bit long winded, that was the best way I could think of to explain it :)
Any help in how to construct such a Dashboard in either Simple or Advanced XML would be much appreciated.
I say this as it's looking like I will be required to become proficient in Splunk Dashboard creation and it was suggested that if I'm heading down that path that I should learn Advanced XML. So I'm happy to hear any thoughts regarding that advice :)
Thanks and regards,
Mark