I have two long search queries which forms two panels of my dashboard and I want to use final values from both of them for my third panel and I don't want to run those two long queries again in my final search. I just want to use those final results in my final query as tokens. How can I do that?
for example
query 1
..| stats sum(value1) as "Total Bill"
query 2
..| eval value2=(some operation)| rename value2 as "Expected Bill"
query 3
eval Saving= (($Token1$-$Token2$)/$Token1$)
Thanks in Advance!
Absolutely, this is pretty easy to do by editing the simpleXML of your dashboard. First, you'll need to add the syntax that sets the tokens. Inside the <search>...</search>
sections for your first two panels, you'll add some code to set the tokens. Inside the first:
<done>
<set token="Token1">$result.Total Bill$</set>
</done>
And inside the second:
<done>
<set token="Token2">$result.Expected Bill$</set>
</done>
Then your third panel can simply use the syntax you already posted:
eval Saving= (($Token1$-$Token2$)/$Token1$)
EDIT: Sorry, it doesn't seem to like when I use the <pre><code>
syntax, so I edited this in the hopes it will now properly display my answer.
I used the above code but my result panel is not showing any data.
It is showing-
No results found.
Following is a run anywhere dashboard. Please change the Search queries for Panel 1 and Panel 2 as per your need as the current one are based on Splunk's _internal index, which are used to mock data.
<form>
<label>Pass Token from Two Panels to Third</label>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<search>
<query>index=_internal sourcetype=splunkd
| stats sum(date_minute) as "Total Bill"</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
<done>
<condition match="$job.resultCount$==0">
<set token="Token1">0</set>
</condition>
<condition>
<set token="Token1">$result.Total Bill$</set>
</condition>
</done>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Total</option>
<option name="unit">$</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<single>
<search>
<query>index=_internal sourcetype=splunkd
| stats sum(date_hour) as "Expected Bill"</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
<done>
<condition match="$job.resultCount$==0">
<set token="Token2">0</set>
</condition>
<condition>
<set token="Token2">$result.Expected Bill$</set>
</condition>
</done>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Expected</option>
<option name="unit">$</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Token1: $Token1$ - Token2: $Token2$</title>
<single>
<search>
<query>| makeresults
| eval Saving=($Token1$-$Token2$)/$Token1$
| table Saving</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0.0000</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Savings</option>
<option name="unit">$</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
</form>
PS: I noticed in query 2 you have used following syntax: | eval value2=(some operation)| rename value2 as "Expected Bill"
. Instead you can try | eval "Expected Bill"=(some operation)
I have printed Token1 and Token2 values in Third panel for testing whether they are getting set as expected or not.
I used the above code but my result panel is not showing any data.
It is showing-
No results found.
@elliotproebstel, you beat me to it.
@nkankur, You can do it by coding <done>
or <progress>
search event handler that can access $result.<YourFieldName>$
default token.
For Panel 1 following is the Search Event Handler:
<done>
<condition match="$job.resultCount$==0">
<set token="Token1">0</set>
</condition>
<condition>
<set token="Token1">$result.Total Bill$</set>
</condition>
</done>
The Search Event Handler for Panel 2 on similar lines:
<done>
<condition match="$job.resultCount$==0">
<set token="Token2">0</set>
</condition>
<condition>
<set token="Token2">$result.Expected Bill$</set>
</condition>
</done>
Finally, your 3rd panel code would look like the following:
| makeresults
| eval Saving=($Token1$-$Token2$)/$Token1$
| table Saving
I hope you are using Single Value visualizations. If you want to handle No Results Found scenario it will be slightly different however, on similar lines.
[UPDATED] Token2 was called Token1 in second code block. Corrected the same. Please try out and confirm.
yes I am using single value visualization.
I used the above code but my result panel is not showing any data.
It is showing-
No results found.
Are the other two panels displaying the expected results? If so, try changing the third panel's search query to this:
| makeresults | eval t1=$Token1$, t2=$Token2$ | fields t1 t2
Does t1 match the result from the first panel, and does t2 match the result from the second panel?