Splunk Search

How to display 3 separate search results on one dashboard?

jcouture
Explorer

For Example:
Suppose you have 3 numbers from search results: 1,000 2,000 and 3,000.

I want to be able to display 3,000-2,000 in a new panel with a new label. I was thinking perhaps append? I am somewhat new to Splunk.

Thanks again!

0 Karma
1 Solution

jcouture
Explorer

Solved!

I tried to send this yesterday but splunk says I don't have enough reputation to post more than twice per day 😛

My solution for combining the three time specific (relative to current time) searches into one was to use the in-search time selection syntax to override the timepicker for each separate search and to link them together with sub searches. Then for each sub search instead of trying to eval the results like this:

 | eval diff=([a search] - [b sub search])

I appendcol'ed to my first search so that I could get them all in one table in the same row and three separate columns like this:

index=main earliest=now latest=+1hr | eval A=*data for A* | stats first(A)
| appendcols [search    
index=main earliest=@h latest=now | eval B=*data for B* | return $B ]
| eval C=('first(A)'-search) | table C

This also has the eval tacked onto the end to find the difference between event A and event B.

Thanks for your time and responses!

View solution in original post

jcouture
Explorer

Solved!

I tried to send this yesterday but splunk says I don't have enough reputation to post more than twice per day 😛

My solution for combining the three time specific (relative to current time) searches into one was to use the in-search time selection syntax to override the timepicker for each separate search and to link them together with sub searches. Then for each sub search instead of trying to eval the results like this:

 | eval diff=([a search] - [b sub search])

I appendcol'ed to my first search so that I could get them all in one table in the same row and three separate columns like this:

index=main earliest=now latest=+1hr | eval A=*data for A* | stats first(A)
| appendcols [search    
index=main earliest=@h latest=now | eval B=*data for B* | return $B ]
| eval C=('first(A)'-search) | table C

This also has the eval tacked onto the end to find the difference between event A and event B.

Thanks for your time and responses!

woodcock
Esteemed Legend

Make sure you click Accept on your answer.

0 Karma

woodcock
Esteemed Legend

Post your a minimal set of raw events, your base search and intermediate output, then a mockup of your desired output.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you get all 3 numbers from a single search? Do you get them in same row OR separate rows?

0 Karma

jcouture
Explorer

I've modified it so that I can get them in the same search and I only have to do two at a time. So I think my question has somewhat changed. They're in different columns and different rows of a table now and I'd like to make a third result that is the difference between the two. I was thinking an eval like such:

| eval diff=(A-B) but no dice here

On a side note it would still be interesting if it could be done as separate searches. So if you know how to do that, that'd be great!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It will be helpful if you can post your current search. The regular eval diff only works if the columns are in same row.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...