- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to add two query results in xml dashboard?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am giving a dummy dashboard based on this i will explain what i want..
<form>
<label>test_hari</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
</input>
<input type="dropdown" token="field2">
<label>field2</label>
</input>
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>vot</title>
<search id="votquery">
<query>index="_internal" |stats count as vot by action, host</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>LT</title>
<search id="ltquery">
<query>index="_internal" |stats count as LT by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
O had two tables VOT , LT
And i want another table with Total=VOT+LT
Note:- I don't want to use join or append those two queries.like query1 |append [search query2]
I need to pass two tokens from dropdown So i can't use init on the page load,Just i want to store those query results .
Once that query1 executed just i reuse those results only i dont want to run again and again..
please help me for this ,thanks in Advance.
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
loadjob might help you to combine results from multiple panels and populate 3rd panel.
Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob
Can you please check below example?
<dashboard>
<label>Sample Dashboard</label>
<row>
<panel>
<title>Panel 1</title>
<table>
<search>
<query>| makeresults count=10 | eval no=1 | accum no</query>
<finalized>
<condition>
<set token="JobSid1">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Panel 2</title>
<table>
<search>
<query>| makeresults count=10 | eval no=5 | accum no</query>
<finalized>
<condition>
<set token="JobSid2">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
loadjob might help you to combine results from multiple panels and populate 3rd panel.
Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob
Can you please check below example?
<dashboard>
<label>Sample Dashboard</label>
<row>
<panel>
<title>Panel 1</title>
<table>
<search>
<query>| makeresults count=10 | eval no=1 | accum no</query>
<finalized>
<condition>
<set token="JobSid1">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Panel 2</title>
<table>
<search>
<query>| makeresults count=10 | eval no=5 | accum no</query>
<finalized>
<condition>
<set token="JobSid2">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @kamlesh ji
that is fine,but am getting this error Error in 'SearchOperator:loadjob': Artifacts are unavailable because the job (job_id='byd_line0_admin_YnlkX2xpbmUwX2FkbWlu_YnlkX2xpbmUw__search9_1552645537.487912_8303C2C4-C724-4485-878E-DA1E31862275') is still running.
In my case those search will take more time
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
Can you please change <finalized> with <done> and try again?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes @kamlesh_vaghela ji,
i am also tried like this .Its working now
And one doubt is it working for all users are only for owner of that dashboard..?
ThanQ
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
It's depending on which permissions you gave to dashboard. But I think you have a confusion bcoz here we have used loadjob. I have assigned read permission to all roles and I'm able to access the dashboard with user role.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
