- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Optimal dashboard UI for selecting two events to c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Optimal dashboard UI for selecting two events to compare?
I've seen various questions about comparing two events in Splunk.
This question is specifically about designing a Splunk Web dashboard user interface to enable users to select two events to compare.
My initial thoughts involve two side-by-side events list visualizations, where each events list has an associated time picker UI control:
- You use the time picker for the events list on the left to narrow that events list to include one of the events you want to compare, and then you click that event. Drilldown settings for the events list would use that click to set a token, or tokens, that can be used to refer to that specific event in a search.
- Same for the other event, using the time picker and its events list on the right.
However, I haven't yet got around to implementing this in practice. It occurs to me that, although I haven't found an exact duplicate question, this is likely to be a common use case—a problem already solved—so I thought I'd ask here first.
What arrangement of UI controls and visualizations in a dashboard is generally regarded as optimal for selecting two events from two different time periods, where the time periods might be arbitrarily different? For example, we're not necessarily comparing events for the same time-of-day on two different days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Graham_Hannington ,
Here is a run anywhere example. You may choose the visualizations suitable to represent your data .
1. Left panel displays count of sourcetype per 5 minutes - controlled via time picker assigned for the panel
2. RIght panel gets avg (count/5minutes) - controlled via time picker assigned for the panel
3. Bottom panel displays event information based on the sourcetype selected from left panel. This can be repeated for right panel as well
<form>
<label>Event Comparison</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<search>
<query>index=_internal|timechart span=5m count by sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="sourcetype">$click.name2$</set>
</drilldown>
</chart>
</panel>
<panel>
<input type="time" token="field2">
<label></label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<search>
<query>index=_internal|timechart span=5m count by sourcetype
|untable _time,sourcetype,count|stats avg(count) as avg by sourcetype|eval avg=round(avg,2)</query>
<earliest>-4h@m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<event>
<search>
<query>index=_internal sourcetype="$sourcetype$"</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>
What goes around comes around. If it helps, hit it with Karma 🙂
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
