dashboard panels based on main search output (loop...

Amirahussein · ‎06-14-2017

Dears,
please i need your support as i am creating new dashboard, the number of panel included in this dashboard is depending on the output of search query ( for each unique source there will be single panel)
this dashboard will be refreshed every 5 minutes to view new data

so i need to create a loop to access all sources individually, for each panel i will create new query to show statistics

for example:
1- Main Search:
index=x sourcetype="oracle:db" "search for specific string" | dedup source|table source
output:the output is variable
source1
source2
source3
2- for each source, i need to create panel with some regex
index=xsourcetype="oracle:db" source="source1" earliest=-5m latest=now|rex field=source "(?([-\w]+?))(?(\w+?))(?(\w+))" |timechart span=15m last(NODE) as Node , last(INSTANT) as Instance,last(QUEUE) AS Queue avg(QUEUE_COUNT) as QueueCount

so is there a way to create such dashboard ?

woodcock · ‎06-14-2017

This can be done if you are on v6.6 or later with the new Trellis feature.
It can be done on any version of Splunk with the multiplexer capability of sideview Utils:
http://sideviewapps.com/apps/sideview-utils/

rjthibod · ‎06-14-2017

Are you running Splunk 6.6? If so, then the new trellis chart layout can do this without you needing to do the first query. Without 6.6, this is going to be quite difficult.

dashboard panels based on main search output (loop through the output)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life