I have 3 panels. Each panel runs a query and displays the result in timechart. This works fine.
Now , I would like to add a 4th panel and display the results from the first 3 panel queries in timechart. How can I achieve that ?
I dont want to run the queries again in the 4th panel. Just need to do display the total time = time1+time2+time3.
<row>
<panel>
<title>First panel</title>
<chart>
<search>
<query> <<some_query>> | timechart avg(time1) </query>
</search>
</chart>
</panel>
</row>
<row>
<panel>
<title>Second panel</title>
<chart>
<search>
<query> <<some_query>> | timechart avg(time2) </query>
</search>
</chart>
</panel>
</row>
<row>
<panel>
<title>Third panel</title>
<chart>
<search>
<query> <<some_query>> | timechart avg(time3) </query>
</search>
</chart>
</panel>
</row>
Hi @balash1979, You're looking for total time as a timechart as well ? The sum of averages doesn't really make sense does it ? What exactly are you trying to achieve and why don't you simply put the three charts and the total on the same panel ?
@balash1979 if your three searches are correlated then run a base search with results for three panel and then perform post processing to display individual series as per your needs. Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Examples_2
Why do you not want to run the queries again? IF it is for performance, I would suggest collecting the results to a summary index and running your fourth query against the summary index.
Another solution is to save your queries as a saved search which returns time1, time2, time3 or total based on a parameter.
Hi @balash1979, You're looking for total time as a timechart as well ? The sum of averages doesn't really make sense does it ? What exactly are you trying to achieve and why don't you simply put the three charts and the total on the same panel ?
I have a product use case in which each panel is built to provide average times. But the overall start to end time is calculated based by adding all the 3 different times and hence i am adding the averages.
If I have all the 3 queries in the same panel and show the total, how can i accomplish that ?
You can appendcols
multiple time charts and then simply use addtotals
as @Sukisen1981 said.
To append time charts have a look here :
https://answers.splunk.com/answers/7556/timechart-how-do-i-combine-these-two-charts-into-one.html
Let me know if that works for you!
Thanks that works.
Awesome ! I changed this to an answer, please up-vote and accept it 🙂
hi @balash1979
Same question as @DavidHourani - Isnt having 1 panel with all 3 times and a addtotals to sum up the times a better option? In case your use case demands separation of the panels and you want a 4th panel displaying total times, the best way is to still write all 3 queries, do a addtotals and then display only the totals in a single panel.
You say - 'I dont want to run the queries again in the 4th panel' , any reason? If you are worried about query execution time or performance and your base queries are taking long to load, it does not matter whether you have a 4th panel or not, the dashboard will still be slow. Can you please clarify?