Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to make tables in a dashboard work together using two different sources?

Ragate
Explorer
‎07-02-2018 08:31 AM

On my spunk dashboard I am showing tables with two different sources. Is there a way to have the tables sync up with the different data?
For example: If I have a License Key that appears in one table that matches the License Key (from a different source) in the other table, can it show the Documents Processed from this?

Do I need to create a search to merge these sources together or can I just do it through the dashboard?

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-02-2018 01:42 PM

Yes, you must write an SPL query to combine the two searches. The dashboard will not do it for you.
Like @kiamco suggests, you can use join to combine them, but that is usually the least efficient way. Often, stats can used instead of join. See http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Join

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-02-2018 01:42 PM

Yes, you must write an SPL query to combine the two searches. The dashboard will not do it for you.
Like @kiamco suggests, you can use join to combine them, but that is usually the least efficient way. Often, stats can used instead of join. See http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Join

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Ragate
Explorer
‎07-03-2018 05:36 AM

I have tried using a join and this is what I came up:
source="C:\Users\ragate\Desktop\splunk\LMCustomerRevLicense.csv" | join type=left substr('context.custom.dimensions{}.LicenseKey' ,4,7) [search source="c:\users\ragate\desktop\splunk\jsondump.txt"] | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | where 'LicenseKeyID'='License Key Identifier'

This only brings but one event in each field when there should be about 20 more there. Not sure where I went wrong. Also have been told that stats would work but I am not sure how to use that to do what I want.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2018 05:44 AM

The first argument to join after type=left should be a field name, not an expression. 

source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left LicenseKeyID  [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey' ,4,7)]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Ragate
Explorer
‎07-06-2018 11:25 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

kiamco
Path Finder
‎07-02-2018 11:25 AM

Try using the join command

eg:
your first search..
|join "License key" [|search second search]

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...