Solved: How to add two query results in xml dashboard?

harishalipaka · ‎03-15-2019

Hi All,

I am giving a dummy dashboard based on this i will explain what i want..

<form>
  <label>test_hari</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1">
      <label>field1</label>
    </input>
    <input type="dropdown" token="field2">
      <label>field2</label>
    </input>
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>vot</title>
        <search id="votquery">
          <query>index="_internal" |stats count as vot by action, host</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>LT</title>
        <search id="ltquery">
          <query>index="_internal" |stats count as LT by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

O had two tables VOT , LT

And i want another table with Total=VOT+LT

Note:- I don't want to use join or append those two queries.like query1 |append [search query2]
I need to pass two tokens from dropdown So i can't use init on the page load,Just i want to store those query results .
Once that query1 executed just i reuse those results only i dont want to run again and again..

please help me for this ,thanks in Advance.

Thanks
Harish

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

loadjob might help you to combine results from multiple panels and populate 3rd panel.

Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob

Can you please check below example?

<dashboard>
  <label>Sample Dashboard</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=1 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid1">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=5 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid2">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Thanks

View solution in original post

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

loadjob might help you to combine results from multiple panels and populate 3rd panel.

Ref: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/loadjob

Can you please check below example?

<dashboard>
  <label>Sample Dashboard</label>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=1 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid1">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval no=5 | accum no</query>
          <finalized>
            <condition>
              <set token="JobSid2">$job.sid$</set>
            </condition>
          </finalized>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| loadjob $JobSid1$ | append [ | loadjob $JobSid2$ ]</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Thanks

harishalipaka · ‎03-15-2019

hi @kamlesh ji

that is fine,but am getting this error Error in 'SearchOperator:loadjob': Artifacts are unavailable because the job (job_id='byd_line0_admin_YnlkX2xpbmUwX2FkbWlu_YnlkX2xpbmUw__search9_1552645537.487912_8303C2C4-C724-4485-878E-DA1E31862275') is still running.

In my case those search will take more time

Thanks
Harish

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

Can you please change <finalized> with <done> and try again?

harishalipaka · ‎03-15-2019

yes @kamlesh_vaghela ji,

i am also tried like this .Its working now
And one doubt is it working for all users are only for owner of that dashboard..?

ThanQ

Thanks
Harish

kamlesh_vaghela · ‎03-15-2019

@harishalipaka

It's depending on which permissions you gave to dashboard. But I think you have a confusion bcoz here we have used loadjob. I have assigned read permission to all roles and I'm able to access the dashboard with user role.

How to add two query results in xml dashboard?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk