Hi there,
I'd like to create a dashboard with 3 panels, each one containing a separate search that produces a table. Here's an example:
Table 1 (bugs):
Status Last_week This_week
Unassigned 5 30
Working on it 2 25
Total 7 55
.....
Table 3 (support requests):
Status Last_week This_week
Waiting on Doug 1 22
Waiting on Bob 2 23
Total 3 45
Total of Totals 10 100
Then, I'd like to add a summary row to the 3rd panel (using appendpipe, for example). This summary row will sum one row from each of the three panels (it's a 'total of totals').
Now, I know there are a few ways to do this (e.g. performing a join(1) or using multisearch (2)). Problem: I can't use either of these approaches because each SQL query (in the 3 panels) is really long. If I combine them into a single query, I exceed my system's character/byte limit.
Can panels communicate with one another if each one is generated by a separate query? Other ideas on how to make this work?
Thank you!
(1) https://answers.splunk.com/answers/308839/how-do-i-get-data-value-from-a-table-in-one-panel.html
(2) https://answers.splunk.com/answers/116922/show-result-of-multiple-queries-as-rows-of-single-table-on...
If you're exceeding a system limit because of the length of your SQL query, you probably need an index or a view created for you.
That said, what you could do is have a single panel instead of three, and combine the three searches into one.
As the columns for each panel are identical this shouldn't be too difficult to do. If you post your three searches I am sure someone will be able to help.
Hi jplumsdaine22, thanks for your comment. To your points:
Creating an index or view --
I've actually done this for the part of the query that all 3 queries share. Without going into detail, I won't be able to store 3 views, which would allow me to store the 3 full queries.
Combining three searches into one --
This is exactly what I'd like to do, but my combined query exceeds the character limit. That being the case, my new plan is to:
1) Run the 3 queries in 3 panels
2) Tokenize the "Total" row from panels 1 and 2
3) Append the tokenized rows to panel 3
I outlined my new plan in response to the comment below, but I'm stuck on steps 2 and 3. If you have any insight, I'd really appreciate it!
I have two ideas:
the easy way, but expensive for the license, is to run your three different queries, store results in an index and then run a search on the result.
Otherwise extract a token from each panel and then pass it to another panel.
you can see at
http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/tokens#Define_tokens_for_dynamic_drilldown
or better in the Splunk 6.x dashboard examples in which there is an example of drilldown in the same dashboard.
Bye.
Giuseppe
Giuseppe, thanks for your post!
So let's say I wanted to do the following:
1) Save the "Total" row from Table 1 (generate the token)
2) Pass it to Table 3 (use the token)
What exactly would my simple XML look like? I've had a hard time finding similar examples...
Here is a guess for how to generate the token (#1):
<search>
<query> ..... </query>
<earliest></earliest>
<latest></latest>
<done>
<set token="table_1_totals">$row.Totals$</set>
</done>
</search>
Here is a guess for how to use the token (#2):
<row>
<panel depends="$table_1_totals$">
<table>
<search>
<query>| (table 3) | append $table_1_totals$
</query>
</search>
</table>
</panel>
</row>
I tried to refer to the following examples --
- For #1: https://answers.splunk.com/answers/385112/how-to-pass-search-result-from-one-panel-to-a-diff.html
- For #2: https://answers.splunk.com/answers/318316/how-many-tokens-can-i-pass-from-one-panel-to-anoth-1.html