Hello
I have a table with the top 10 values for an ip sorted by occurrence.
Place ip count
1 ip1 100
2 ip2 90
3 ip3 80
4 ip4 70
5 ip5 60
6 ip6 50
7 ip7 40
8 ip8 30
9 ip9 20
10 ip10 10
But now, i need a dashboard for each value separately:
A search only for the first ip, another search only for the second ip, and so on. How can I do this dynamically? . Do you know some function to have something like this:
function(1) = ip1 (the max value)
function(2) = ip2 (the second max value)
function(3) = ip3 (the third max value)
I'll ve very grateful for your answer
As @martin_mueller said, Something like should work for you
App name- search
dashboard1.xml
<dashboard>
<label>Dashboard1</label>
<row>
<panel>
<table>
<searchString>index=_internal | stats count by sourcetype | sort - count | eval Place=1 | accum Place | table Place sourcetype count
</searchString>
<earliestTime>-60m</earliestTime>
<latestTime>now</latestTime>
<drilldown target="My New Window">
<link>/app/search/dashboard2?sourcetype=$row.sourcetype$</link>
</drilldown>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</dashboard>
dashboard2.xml
<dashboard>
<label>Dashboard2</label>
<row>
<panel>
<table>
<title>Showing data for $sourcetype$</title>
<searchString>index=_internal sourcetype=$sourcetype$ | stats count by sourcetype
</searchString>
<earliestTime>-60m</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="drilldown">row</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</dashboard>
As @martin_mueller said, Something like should work for you
App name- search
dashboard1.xml
<dashboard>
<label>Dashboard1</label>
<row>
<panel>
<table>
<searchString>index=_internal | stats count by sourcetype | sort - count | eval Place=1 | accum Place | table Place sourcetype count
</searchString>
<earliestTime>-60m</earliestTime>
<latestTime>now</latestTime>
<drilldown target="My New Window">
<link>/app/search/dashboard2?sourcetype=$row.sourcetype$</link>
</drilldown>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</dashboard>
dashboard2.xml
<dashboard>
<label>Dashboard2</label>
<row>
<panel>
<table>
<title>Showing data for $sourcetype$</title>
<searchString>index=_internal sourcetype=$sourcetype$ | stats count by sourcetype
</searchString>
<earliestTime>-60m</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="drilldown">row</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</table>
</panel>
</row>
</dashboard>
@somesoni2 , @martin_mueller , thanks you so much, it worked!
For example, you could create a dashboard with a dropdown input at the top, define its populating search as that top10 search, have the user select what value he wants to see, and set that value as a token in the dashboard's search.
That way you don't need ten dashboards that do basically the same thing. Here's a quick intro: http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/FormEditor