Hi Splunkers,
I have 6 panels in my dashboard and all the panels have different underlying query but the output fields in the panel stats table are same and the results in all the panels look like the below sample table.
I want to club all the results into a single panel/table at the end.So i just want to display one panel which contains the results from all the other panels.
Thank you.
user action time object group difference modifier
zbc xyz 10-Sep hddh dj-dhdh 6 jhyy
dhdh cnnc 10-Sep fhfhf jjj-ggg 8 gg
Hi,
I assume that you just want one final table in your dashboard and not 6 sub-tables plus one final. Nevertheless, the approach to solve this question is the same. What I suggest is to cascade the searches:
<dashboard>
<label>Test Dashboard</label>
<search id="result1">
<query>
| makeresults | eval user="zbc" | eval action="xyz" | eval time="10-Sep" | eval object="hddh" | eval difference="1"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search id="result2" base="result1">
<query>
|append [ | makeresults | eval user="zyy" | eval action="Qyz" | eval time="11-Sep" | eval object="hddh" | eval difference="2" ]
</query>
</search>
<search id="result3" base="result2">
<query>
|append [ | makeresults | eval user="zyty" | eval action="QQyz" | eval time="12-Sep" | eval object="hddh" | eval difference="3" ]
</query>
</search>
<row>
<panel>
<table>
<title>Result Table</title>
<search base="result3">
<query>|table *</query>
</search>
</table>
</panel>
</row>
</dashboard>
This executes the searches sequentially and appends the results
Hope it helps
Oliver
Do it like this:
Your Search Here with all stuff combined
| multireport
[ stats some stuff here]
...
[ stats other stuff here]
Hi woodcock, do you refer to multisearch
?
Hi,
I assume that you just want one final table in your dashboard and not 6 sub-tables plus one final. Nevertheless, the approach to solve this question is the same. What I suggest is to cascade the searches:
<dashboard>
<label>Test Dashboard</label>
<search id="result1">
<query>
| makeresults | eval user="zbc" | eval action="xyz" | eval time="10-Sep" | eval object="hddh" | eval difference="1"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search id="result2" base="result1">
<query>
|append [ | makeresults | eval user="zyy" | eval action="Qyz" | eval time="11-Sep" | eval object="hddh" | eval difference="2" ]
</query>
</search>
<search id="result3" base="result2">
<query>
|append [ | makeresults | eval user="zyty" | eval action="QQyz" | eval time="12-Sep" | eval object="hddh" | eval difference="3" ]
</query>
</search>
<row>
<panel>
<table>
<title>Result Table</title>
<search base="result3">
<query>|table *</query>
</search>
</table>
</panel>
</row>
</dashboard>
This executes the searches sequentially and appends the results
Hope it helps
Oliver
I tried but not able to see any results being generated.Can you please provide sample run anywhere code .Thank you
Please create an empty dashboard, edit source and paste the code that I've inserted above.
Oliver
Thanks for the update, but the export option for the result table panel is disabled .How to make that enable and download the CSV file
It is a known bug when using the base search feature. Please take a look at the "base-search" feature documentation. You can always press the "open in search". Once you have opened it in a new search window, you can export to csv. Alternatively, you could use the outputcsv command: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Outputcsv
@kranthimutyala could you add more details as to why you have six different panels for similar results? What is the difference between each of the 6 different panels?
Also for the community to assist you better if you can provide your current SPL and sample data output for each of the six panels that would be great.
Please mock/anonymize any sensitive information before posting on Splunk Answers.