Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Passing Token values to Overlay field in the line chart

sanjai
Explorer
2 weeks ago

Hi Splunkers,

I am working on creating a column line chart dashboard that shows database lattency . I'm encountering a issue where I'm trying to pass a token value to overlay options for line chart representation over a column chart. Here are things currently i have,

My Chart and My SPL query:

sanjai_0-1713765156076.png

 

SPL:

index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=*
| eval ds_file_path=ds_path."\\".ds_file
| chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine
| appendcols
[search index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=*
| eval ds_file_path=ds_path."\\".ds_file
| stats max(block_count) as total_blocks by ds_file_path]


sanjai_1-1713765156659.png

I need to assign the overlay field value(avg_processing_time_per_block )from the line in SPL:


| chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine

The reason I'm attempting to assign it as a token is that the avg_processing_time_per_block has dynamic values (sometimes it may be 10 or 12 machines data ).instead of rwmini and rwws01.

Column has total_blocks value  

Or is there any ways to achieve this requirement?

Your thoughts on these are highly appreciated. Thank you in advance.

Sanjai

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

You could have a separate (hidden) panel which generates the value of the token that you use to set the overlay fields for this  panel

0 Karma
Reply

sanjai
Explorer
2 weeks ago

Hi @ITWhisperer 
Thanks for reply ,

I understand ,
But correct me if i'm wrong

1.If i have a seperate hidden panel that gives my token value (avg_processing_time_per_block )

2.Then how can i assign the token $avg_processing_time_per_block$ value to overlay Fields

like these?
<option name="charting.chart.overlayFields">$avg_processing_time_per_block$ </option>

or 
<option name="charting.chart.overlayFields">avg_processing_time_per_block </option>

if i gives these a token then line chart have a single line named avg_processing_time_per_block but the requirement is the avg_processing_time_per_block has dynamic value 

My need is to how to assign the avg_processing_time_per_block value as token in  charting.chart.overlayFields

thanks,

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

As you are probably aware, the list of overlay fields is a comma-separated list of field name, so that's what you need in your token. You could try something like this

| stats values(machine) as avg_processing_time_per_block
| eval avg_processing_time_per_block=mvjoin(avg_processing_time_per_block,",")

You would then set your token on the done block of the search, using this field from the (first) results row and use it in your display panel settings

<option name="charting.chart.overlayFields">$avg_processing_time_per_block$ </option>

 

Reply

sanjai
Explorer
a week ago

Thanks @ITWhisperer  , it worked 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...