Splunk Search

Sum the results of searches from separate panels

ojasklowski
Explorer

Hi there,

I'd like to create a dashboard with 3 panels, each one containing a separate search that produces a table. Here's an example:

Table 1 (bugs):
Status                          Last_week          This_week
Unassigned                      5                  30
Working on it                   2                  25
Total                           7                  55
.....
Table 3 (support requests):
Status                          Last_week          This_week
Waiting on Doug                 1                  22
Waiting on Bob                  2                  23
Total                           3                  45 
Total of Totals                10                 100

Then, I'd like to add a summary row to the 3rd panel (using appendpipe, for example). This summary row will sum one row from each of the three panels (it's a 'total of totals').

Now, I know there are a few ways to do this (e.g. performing a join(1) or using multisearch (2)). Problem: I can't use either of these approaches because each SQL query (in the 3 panels) is really long. If I combine them into a single query, I exceed my system's character/byte limit.

Can panels communicate with one another if each one is generated by a separate query? Other ideas on how to make this work?

Thank you!

(1) https://answers.splunk.com/answers/308839/how-do-i-get-data-value-from-a-table-in-one-panel.html
(2) https://answers.splunk.com/answers/116922/show-result-of-multiple-queries-as-rows-of-single-table-on...

0 Karma

jplumsdaine22
Influencer

If you're exceeding a system limit because of the length of your SQL query, you probably need an index or a view created for you.

That said, what you could do is have a single panel instead of three, and combine the three searches into one.

As the columns for each panel are identical this shouldn't be too difficult to do. If you post your three searches I am sure someone will be able to help.

ojasklowski
Explorer

Hi jplumsdaine22, thanks for your comment. To your points:

Creating an index or view --

I've actually done this for the part of the query that all 3 queries share. Without going into detail, I won't be able to store 3 views, which would allow me to store the 3 full queries.

Combining three searches into one --

This is exactly what I'd like to do, but my combined query exceeds the character limit. That being the case, my new plan is to:

1) Run the 3 queries in 3 panels
2) Tokenize the "Total" row from panels 1 and 2
3) Append the tokenized rows to panel 3

I outlined my new plan in response to the comment below, but I'm stuck on steps 2 and 3. If you have any insight, I'd really appreciate it!

0 Karma

gcusello
SplunkTrust
SplunkTrust

I have two ideas:
the easy way, but expensive for the license, is to run your three different queries, store results in an index and then run a search on the result.
Otherwise extract a token from each panel and then pass it to another panel.
you can see at
http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/tokens#Define_tokens_for_dynamic_drilldown
or better in the Splunk 6.x dashboard examples in which there is an example of drilldown in the same dashboard.
Bye.
Giuseppe

ojasklowski
Explorer

Giuseppe, thanks for your post!

So let's say I wanted to do the following:
1) Save the "Total" row from Table 1 (generate the token)
2) Pass it to Table 3 (use the token)

What exactly would my simple XML look like? I've had a hard time finding similar examples...

Here is a guess for how to generate the token (#1):

<search>
    <query> ..... </query>
    <earliest></earliest>
    <latest></latest>
    <done>
          <set token="table_1_totals">$row.Totals$</set> 
    </done>
</search>
  • what is the "done" tag?
  • instead, should I use: $result.Totals$
  • any need for a "drilldown" tag?

Here is a guess for how to use the token (#2):

<row>
    <panel depends="$table_1_totals$">
    <table>
        <search>
                <query>| (table 3)  | append $table_1_totals$
                </query>
        </search>
    </table>
    </panel>
</row>

I tried to refer to the following examples --
- For #1: https://answers.splunk.com/answers/385112/how-to-pass-search-result-from-one-panel-to-a-diff.html
- For #2: https://answers.splunk.com/answers/318316/how-many-tokens-can-i-pass-from-one-panel-to-anoth-1.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...