Dashboards & Visualizations

Is there a way to make tables in a dashboard work together using two different sources?

Ragate
Explorer

On my spunk dashboard I am showing tables with two different sources. Is there a way to have the tables sync up with the different data?
For example: If I have a License Key that appears in one table that matches the License Key (from a different source) in the other table, can it show the Documents Processed from this?

Do I need to create a search to merge these sources together or can I just do it through the dashboard?

Thanks in advance.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, you must write an SPL query to combine the two searches. The dashboard will not do it for you.
Like @kiamco suggests, you can use join to combine them, but that is usually the least efficient way. Often, stats can used instead of join. See http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Join

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you must write an SPL query to combine the two searches. The dashboard will not do it for you.
Like @kiamco suggests, you can use join to combine them, but that is usually the least efficient way. Often, stats can used instead of join. See http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Join

---
If this reply helps you, Karma would be appreciated.
0 Karma

Ragate
Explorer

I have tried using a join and this is what I came up:
source="C:\Users\ragate\Desktop\splunk\LMCustomerRevLicense.csv" | join type=left substr('context.custom.dimensions{}.LicenseKey' ,4,7) [search source="c:\users\ragate\desktop\splunk\jsondump.txt"] | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | where 'LicenseKeyID'='License Key Identifier'

This only brings but one event in each field when there should be about 20 more there. Not sure where I went wrong. Also have been told that stats would work but I am not sure how to use that to do what I want.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The first argument to join after type=left should be a field name, not an expression.

source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey' ,4,7) | join type=left LicenseKeyID  [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt" | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey' ,4,7)] 
---
If this reply helps you, Karma would be appreciated.

Ragate
Explorer

Thank you!

0 Karma

kiamco
Path Finder

Try using the join command

eg:
your first search..
|join "License key" [|search second search]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...