Dashboards & Visualizations

I want to use tokens to pass value from one dashboard panel to another panel of the same dashboard

nkankur
Path Finder

I have two long search queries which forms two panels of my dashboard and I want to use final values from both of them for my third panel and I don't want to run those two long queries again in my final search. I just want to use those final results in my final query as tokens. How can I do that?

for example

query 1

..| stats sum(value1) as "Total Bill"

query 2

..| eval value2=(some operation)| rename value2 as "Expected Bill"

query 3

eval Saving= (($Token1$-$Token2$)/$Token1$)

Thanks in Advance!

0 Karma

elliotproebstel
Champion

Absolutely, this is pretty easy to do by editing the simpleXML of your dashboard. First, you'll need to add the syntax that sets the tokens. Inside the <search>...</search> sections for your first two panels, you'll add some code to set the tokens. Inside the first:

<done>
  <set token="Token1">$result.Total Bill$</set>
</done>

And inside the second:

<done>
  <set token="Token2">$result.Expected Bill$</set>
</done>

Then your third panel can simply use the syntax you already posted:

eval Saving= (($Token1$-$Token2$)/$Token1$)

EDIT: Sorry, it doesn't seem to like when I use the <pre><code> syntax, so I edited this in the hopes it will now properly display my answer.

nkankur
Path Finder

I used the above code but my result panel is not showing any data.
It is showing-

No results found.

0 Karma

niketn
Legend

Following is a run anywhere dashboard. Please change the Search queries for Panel 1 and Panel 2 as per your need as the current one are based on Splunk's _internal index, which are used to mock data.

<form>
  <label>Pass Token from Two Panels to Third</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd
|  stats sum(date_minute) as "Total Bill"</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="Token1">0</set>
            </condition>
            <condition>
              <set token="Token1">$result.Total Bill$</set>
            </condition>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Total</option>
        <option name="unit">$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd
|  stats sum(date_hour) as "Expected Bill"</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="Token2">0</set>
            </condition>
            <condition>
              <set token="Token2">$result.Expected Bill$</set>
            </condition>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Expected</option>
        <option name="unit">$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Token1: $Token1$ - Token2: $Token2$</title>
      <single>
        <search>
          <query>| makeresults
|  eval Saving=($Token1$-$Token2$)/$Token1$
|  table Saving</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.0000</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Savings</option>
        <option name="unit">$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</form>

PS: I noticed in query 2 you have used following syntax: | eval value2=(some operation)| rename value2 as "Expected Bill". Instead you can try | eval "Expected Bill"=(some operation)

I have printed Token1 and Token2 values in Third panel for testing whether they are getting set as expected or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nkankur
Path Finder

I used the above code but my result panel is not showing any data.
It is showing-

No results found.

0 Karma

niketn
Legend

@elliotproebstel, you beat me to it.

@nkankur, You can do it by coding <done> or <progress> search event handler that can access $result.<YourFieldName>$ default token.

For Panel 1 following is the Search Event Handler:

      <done>
        <condition match="$job.resultCount$==0">
          <set token="Token1">0</set>
        </condition>
        <condition>
          <set token="Token1">$result.Total Bill$</set>
        </condition>
      </done>

The Search Event Handler for Panel 2 on similar lines:

      <done>
        <condition match="$job.resultCount$==0">
          <set token="Token2">0</set>
        </condition>
        <condition>
          <set token="Token2">$result.Expected Bill$</set>
        </condition>
      </done>

Finally, your 3rd panel code would look like the following:

| makeresults
|  eval Saving=($Token1$-$Token2$)/$Token1$
|  table Saving

I hope you are using Single Value visualizations. If you want to handle No Results Found scenario it will be slightly different however, on similar lines.


[UPDATED] Token2 was called Token1 in second code block. Corrected the same. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nkankur
Path Finder

yes I am using single value visualization.

0 Karma

nkankur
Path Finder

I used the above code but my result panel is not showing any data.
It is showing-

No results found.

0 Karma

elliotproebstel
Champion

Are the other two panels displaying the expected results? If so, try changing the third panel's search query to this:
| makeresults | eval t1=$Token1$, t2=$Token2$ | fields t1 t2

Does t1 match the result from the first panel, and does t2 match the result from the second panel?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...