I've seen various questions about comparing two events in Splunk.
This question is specifically about *designing a Splunk Web dashboard user interface* to enable users to *select* two events to compare.
My initial thoughts involve two side-by-side events list visualizations, where each events list has an associated time picker UI control:
* You use the time picker for the events list on the left to narrow that events list to include one of the events you want to compare, and then you click that event. Drilldown settings for the events list would use that click to set a token, or tokens, that can be used to refer to that specific event in a search.
* Same for the other event, using the time picker and its events list on the right.
However, I haven't yet got around to implementing this in practice. It occurs to me that, although I haven't found an exact duplicate question, this is likely to be a common use case—a problem already solved—so I thought I'd ask here first.
What arrangement of UI controls and visualizations in a dashboard is generally regarded as optimal for selecting two events from two different time periods, where the time periods might be arbitrarily different? For example, we're not necessarily comparing events for the same time-of-day on two different days.
↧