Dashboards & Visualizations

show all panels output to single panel in a dashabord

kranthimutyala
Path Finder

Hi Splunkers,

I have 6 panels in my dashboard and all the panels have different underlying query but the output fields in the panel stats table are same and the results in all the panels look like the below sample table.

I want to club all the results into a single panel/table at the end.So i just want to display one panel which contains the results from all the other panels.

Thank you.

user action time object group difference modifier
zbc xyz 10-Sep hddh dj-dhdh 6 jhyy
dhdh cnnc 10-Sep fhfhf jjj-ggg 8 gg

0 Karma
1 Solution

ololdach
Builder

Hi,
I assume that you just want one final table in your dashboard and not 6 sub-tables plus one final. Nevertheless, the approach to solve this question is the same. What I suggest is to cascade the searches:

<dashboard>
<label>Test Dashboard</label>
<search id="result1">
<query>
  | makeresults | eval user="zbc" | eval action="xyz" | eval time="10-Sep" | eval object="hddh" | eval difference="1" 
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search id="result2" base="result1">
<query>
  |append [ | makeresults | eval user="zyy" | eval action="Qyz" | eval time="11-Sep" | eval object="hddh" | eval difference="2" ]
</query>
</search>
<search id="result3" base="result2">
<query>
  |append [ | makeresults | eval user="zyty" | eval action="QQyz" | eval time="12-Sep" | eval object="hddh" | eval difference="3" ]
</query>
</search>
<row>
<panel>
  <table>
    <title>Result Table</title>
    <search base="result3">
      <query>|table *</query>

    </search>
  </table>
</panel>
</row>
</dashboard>

This executes the searches sequentially and appends the results
Hope it helps
Oliver

View solution in original post

0 Karma

woodcock
Esteemed Legend

Do it like this:

Your Search Here with all stuff combined
| multireport
[ stats some stuff here]
...
[ stats other stuff here]
0 Karma

ololdach
Builder

Hi woodcock, do you refer to multisearch?

0 Karma

ololdach
Builder

Hi,
I assume that you just want one final table in your dashboard and not 6 sub-tables plus one final. Nevertheless, the approach to solve this question is the same. What I suggest is to cascade the searches:

<dashboard>
<label>Test Dashboard</label>
<search id="result1">
<query>
  | makeresults | eval user="zbc" | eval action="xyz" | eval time="10-Sep" | eval object="hddh" | eval difference="1" 
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search id="result2" base="result1">
<query>
  |append [ | makeresults | eval user="zyy" | eval action="Qyz" | eval time="11-Sep" | eval object="hddh" | eval difference="2" ]
</query>
</search>
<search id="result3" base="result2">
<query>
  |append [ | makeresults | eval user="zyty" | eval action="QQyz" | eval time="12-Sep" | eval object="hddh" | eval difference="3" ]
</query>
</search>
<row>
<panel>
  <table>
    <title>Result Table</title>
    <search base="result3">
      <query>|table *</query>

    </search>
  </table>
</panel>
</row>
</dashboard>

This executes the searches sequentially and appends the results
Hope it helps
Oliver

0 Karma

kranthimutyala
Path Finder

I tried but not able to see any results being generated.Can you please provide sample run anywhere code .Thank you

0 Karma

ololdach
Builder

Please create an empty dashboard, edit source and paste the code that I've inserted above.
Oliver

0 Karma

kranthimutyala
Path Finder

Thanks for the update, but the export option for the result table panel is disabled .How to make that enable and download the CSV file

0 Karma

ololdach
Builder

It is a known bug when using the base search feature. Please take a look at the "base-search" feature documentation. You can always press the "open in search". Once you have opened it in a new search window, you can export to csv. Alternatively, you could use the outputcsv command: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Outputcsv

0 Karma

niketn
Legend

@kranthimutyala could you add more details as to why you have six different panels for similar results? What is the difference between each of the 6 different panels?

Also for the community to assist you better if you can provide your current SPL and sample data output for each of the six panels that would be great.

Please mock/anonymize any sensitive information before posting on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...