How to get the exact row from a results table to u...

belladonna · ‎06-16-2016

Hello!

I want to make an error monitoring dashboard. I want to have a table with (operation| okOperations/allOperations) and 4 timechart panels with top-error operations, that work dynamically.

For the first table I have a search

index=prt result=*
| eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
| eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio

It returns result table

<table>
    <tr>
        <td>operation</td>
        <td>result</td>
    </tr>
    <tr>
        <td>check</td>
        <td>1</td>
    </tr>
    <tr>
        <td>search</td>
        <td>0. 2</td>
    </tr>
    <tr>
        <td>buy</td>
        <td>0.2</td>
    </tr>
</table>

I don't want to use | streamstats count as rownum, because it works very slowly. How can I make a search for panels?
It will be good to use hidden search and then reuse its results in panels.

sundareshr · ‎06-16-2016

Like this

*For the first row*

 ... | head 1

*For the second row*

... | head 2 | tail | head 1

**** For the third row****

... | tail 1

spunk_enthusias · ‎01-20-2023

Is there really no better way than this?

belladonna · ‎06-17-2016

 index=prt result=*
 | eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
 | eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio| head 1|timechart count(operation) by result

doesn't return anything

How to get the exact row from a results table to use for other panel searches in the same dashboard?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life