Splunk Search

Display timechart by adding values from other panels

balash1979
Path Finder

I have 3 panels. Each panel runs a query and displays the result in timechart. This works fine.
Now , I would like to add a 4th panel and display the results from the first 3 panel queries in timechart. How can I achieve that ?
I dont want to run the queries again in the 4th panel. Just need to do display the total time = time1+time2+time3.

<row>
<panel>
  <title>First panel</title>
  <chart>
    <search>
      <query> <<some_query>> |  timechart avg(time1) </query>
     </search>
  </chart>
</panel>
</row>

<row>
<panel>
  <title>Second panel</title>
  <chart>
    <search>
      <query> <<some_query>> | timechart avg(time2) </query>
     </search>
   </chart>
</panel>
</row>


<row>
<panel>
  <title>Third panel</title>
  <chart>
    <search>
      <query> <<some_query>> | timechart avg(time3) </query>
     </search>
  </chart>
</panel>
</row>
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @balash1979, You're looking for total time as a timechart as well ? The sum of averages doesn't really make sense does it ? What exactly are you trying to achieve and why don't you simply put the three charts and the total on the same panel ?

View solution in original post

0 Karma

niketn
Legend

@balash1979 if your three searches are correlated then run a base search with results for three panel and then perform post processing to display individual series as per your needs. Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Examples_2

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

arjunpkishore5
Motivator

Why do you not want to run the queries again? IF it is for performance, I would suggest collecting the results to a summary index and running your fourth query against the summary index.

Another solution is to save your queries as a saved search which returns time1, time2, time3 or total based on a parameter.

0 Karma

DavidHourani
Super Champion

Hi @balash1979, You're looking for total time as a timechart as well ? The sum of averages doesn't really make sense does it ? What exactly are you trying to achieve and why don't you simply put the three charts and the total on the same panel ?

0 Karma

balash1979
Path Finder

I have a product use case in which each panel is built to provide average times. But the overall start to end time is calculated based by adding all the 3 different times and hence i am adding the averages.

If I have all the 3 queries in the same panel and show the total, how can i accomplish that ?

0 Karma

DavidHourani
Super Champion

You can appendcols multiple time charts and then simply use addtotals as @Sukisen1981 said.

To append time charts have a look here :
https://answers.splunk.com/answers/7556/timechart-how-do-i-combine-these-two-charts-into-one.html

Let me know if that works for you!

0 Karma

balash1979
Path Finder

Thanks that works.

0 Karma

DavidHourani
Super Champion

Awesome ! I changed this to an answer, please up-vote and accept it 🙂

0 Karma

Sukisen1981
Champion

hi @balash1979

Same question as @DavidHourani - Isnt having 1 panel with all 3 times and a addtotals to sum up the times a better option? In case your use case demands separation of the panels and you want a 4th panel displaying total times, the best way is to still write all 3 queries, do a addtotals and then display only the totals in a single panel.
You say - 'I dont want to run the queries again in the 4th panel' , any reason? If you are worried about query execution time or performance and your base queries are taking long to load, it does not matter whether you have a 4th panel or not, the dashboard will still be slow. Can you please clarify?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...