- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to add two query results in xml dashboard?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am giving a dummy dashboard based on this i will explain what i want..
<form>
<label>test_hari</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
</input>
<input type="dropdown" token="field2">
<label>field2</label>
</input>
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>vot</title>
<search id="votquery">
<query>index="_internal" |stats count as vot by action, host</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>LT</title>
<search id="ltquery">
<query>index="_internal" |stats count as LT by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
O had two tables VOT , LT
And i want another table with Total=VOT+LT
Note:- I don't want to use join or append those two queries.like query1 |append [search query2]
I need to pass two tokens from dropdown So i can't use init on the page load,Just i want to store those query results .
Once that query1 executed just i reuse those results only i dont want to run again and again..
please help me for this ,thanks in Advance.
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
loadjob might help you to combine results from multiple panels and populate 3rd panel.
Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob
Can you please check below example?
<dashboard>
<label>Sample Dashboard</label>
<row>
<panel>
<title>Panel 1</title>
<table>
<search>
<query>| makeresults count=10 | eval no=1 | accum no</query>
<finalized>
<condition>
<set token="JobSid1">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Panel 2</title>
<table>
<search>
<query>| makeresults count=10 | eval no=5 | accum no</query>
<finalized>
<condition>
<set token="JobSid2">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
loadjob might help you to combine results from multiple panels and populate 3rd panel.
Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob
Can you please check below example?
<dashboard>
<label>Sample Dashboard</label>
<row>
<panel>
<title>Panel 1</title>
<table>
<search>
<query>| makeresults count=10 | eval no=1 | accum no</query>
<finalized>
<condition>
<set token="JobSid1">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Panel 2</title>
<table>
<search>
<query>| makeresults count=10 | eval no=5 | accum no</query>
<finalized>
<condition>
<set token="JobSid2">$job.sid$</set>
</condition>
</finalized>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search>
<query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @kamlesh ji
that is fine,but am getting this error Error in 'SearchOperator:loadjob': Artifacts are unavailable because the job (job_id='byd_line0_admin_YnlkX2xpbmUwX2FkbWlu_YnlkX2xpbmUw__search9_1552645537.487912_8303C2C4-C724-4485-878E-DA1E31862275') is still running.
In my case those search will take more time
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
Can you please change <finalized> with <done> and try again?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes @kamlesh_vaghela ji,
i am also tried like this .Its working now
And one doubt is it working for all users are only for owner of that dashboard..?
ThanQ
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harishalipaka
It's depending on which permissions you gave to dashboard. But I think you have a confusion bcoz here we have used loadjob. I have assigned read permission to all roles and I'm able to access the dashboard with user role.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
