Solved: How to filter the results of a panel based on anot...

Naren26 · ‎11-15-2017

Let's assume, I am having two panels - PanelA, PanelB in my dashboard. I want to filter my PanelB results based on the PanelA results.

PanelA:

TrainType    Count
  TrainA      10
  TrainB      10
  TrainC      10
  TrainD      10

PanelB:

TrainType     Status
  TrainA      Active
  TrainD      Inactive
  TrainN      Active
   TrainB     Active
  TrainK      Inactive
  TrainT       Active
  TrainJ       Inactive

In the above results, for Panel2, I need to display only the trains which are available in Panel1.

I have tried to store the Panel1 results in token as a table and use it in Panel2 as follows:

<done>
          <set token="result">
            <search>
              <query>
                   stats list(TrainType) as TrainType by _time  | makemv TrainType delim="," | table TrainType
              </query>
            </search>
          </set>
 </done>

But I do not how to use it Panel2. Please suggest how this can be done.

Note: I want to do this automatically when the Panel1 gets loaded.

gcusello · ‎11-15-2017

Hi,
a little question: do you want to filter panel 2 events after a click on a row of Panel 1 or do you want to filter panel 2 with all the results of Panel1?

If the first one, see Splunk 7.x Dashboard Examples app, there an example of drilldown in the same dashboard.

If the second one, put Panel 1 search as subsearch in Panel 2 search, something like this:

my_search1 [ search my_search2 | dedup TrainType | fields TrainType ]
| ....

you have only to check that TrainType name field is the same in both the searches and that there isn't case differences in TrainType field.

Bye.
Giuseppe

View solution in original post

niketn · ‎11-15-2017

@Naren26, There could be various ways of doing this however, the best option would be based on what you are doing at present (without the filter in 2nd panel from the results of first panel). So, Can you add the query for your sample results you have put here in question (both for Panel 1 and Panel 2)? Are TrainType and Status fields available in your raw events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Naren26 · ‎11-15-2017

Please find the below XML:

    <row>
        <panel>
          <title>PanelA</title>
          <event>
            <search>
              <query>*mysearch | stats list(traintype) as TrainType</query>
              <earliest>-30m@m</earliest>
              <latest>now</latest>
              <sampleRatio>1</sampleRatio>
              <done>
           <set token="result">
             <search>
               <query>
                    stats list(TrainType) as TrainType by _time  | makemv TrainType delim="," | table TrainType
               </query>
             </search>
           </set>
  </done>
            </search>
            <option name="count">10</option>
            <option name="list.drilldown">full</option>
            <option name="list.wrap">1</option>
            <option name="maxLines">5</option>
            <option name="raw.drilldown">full</option>
            <option name="rowNumbers">0</option>
            <option name="table.drilldown">all</option>
            <option name="table.sortDirection">asc</option>
            <option name="table.wrap">1</option>
            <option name="type">list</option>
          </event>

        </panel>
      </row>
      <row>
        <panel>
          <title>PanelB</title>
          <event>
            <search>
              <query>*mysearch | stats list(traintype) as TrainType | where TrainType in($result$)</query>
              <earliest>-30m@m</earliest>
              <latest>now</latest>
              <sampleRatio>1</sampleRatio>
            </search>
            <option name="count">10</option>
            <option name="list.drilldown">full</option>
            <option name="list.wrap">1</option>
            <option name="maxLines">5</option>
            <option name="raw.drilldown">full</option>
            <option name="rowNumbers">0</option>
            <option name="table.drilldown">all</option>
            <option name="table.sortDirection">asc</option>
            <option name="table.wrap">1</option>
            <option name="type">list</option>
          </event>
        </panel>
      </row>

Note: Both TrainType and Status are available in raw events

kamlesh_vaghela · ‎11-15-2017

Hi

Can you please check dashboard code??

<dashboard>
  <label>Dependent Panel Result</label>
  <search base="mainSearch">
      <query> eval sourcetype="sourcetype=".sourcetype | stats delim=" OR " values(sourcetype) as sourcetype | mvcombine sourcetype | eval sourcetype=" (".sourcetype.")"
      </query>
      <done>
        <set token="selectedsourcetype">$result.sourcetype$</set>
      </done>
    </search>
  <row>
    <panel>
      <table>
        <title>Main Panel</title>
        <search id="mainSearch">
          <query>index=_internal  sourcetype=splunk* | stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Dependent Panel $selectedsourcetype$</title>
        <search>
          <query>index=_internal $selectedsourcetype$ | stats count by sourcetype</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

Here I have used dummy search. But don't worry It will work for you.

There are 2 panels. Main Panel & Dependent Panel.
I have made Main Panel search as base search and an additional search defined which will create a condition for Dependent Panel.

Please execute XML code and try to put your search into it for verification.

I hope this will help you.

Happy Splunking

gcusello · ‎11-15-2017

Hi,
a little question: do you want to filter panel 2 events after a click on a row of Panel 1 or do you want to filter panel 2 with all the results of Panel1?

If the first one, see Splunk 7.x Dashboard Examples app, there an example of drilldown in the same dashboard.

If the second one, put Panel 1 search as subsearch in Panel 2 search, something like this:

my_search1 [ search my_search2 | dedup TrainType | fields TrainType ]
| ....

you have only to check that TrainType name field is the same in both the searches and that there isn't case differences in TrainType field.

Bye.
Giuseppe

Naren26 · ‎11-20-2017

I could able to fetch the results with following query:

my_search1 [ search my_search2 | dedup TrainType | fields TrainType ]

Thanks.

Naren26 · ‎11-15-2017

I want to filter Panel2 with results of Panel1, without any user events.

gcusello · ‎11-15-2017

In my above second solution, you filter Panel2 events with Panel1 results.
Check that TrainType name field is the same in both the searches and that there isn't any case difference in TrainType field.
Bye.
Giuseppe

Naren26 · ‎11-16-2017

I have tried the above mentioned solution. But I could not able to fetch the results. Below is the code:

index=my_index message=msgA | stats values(trainType) as TrainType by _time  [search index=my_index message=msgB | stats values(trainType) as TrainType by _time ]

What am I doing wrong here?

How to filter the results of a panel based on another panel's result

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases