All Apps and Add-ons

Side View Utils - dynamic number of graphs based on search

kmugglet
Communicator

Hi all,
I'm wondering if there is any type of for-next solution in advanced xml or sideview utils.

I have a pool of servers which report their capacity, this server pool is growing so I would like to build a view which counts the number of servers and then produce one filler gauge chart per server.

So an initial search would produce a list of servers
Then need to iterate through the list, doing a search for stats specific to that server.
Produce a gauge/chart for that server
Rinse and repeat as necessary.....

Is this a job for python?

Cheers, Keith

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Take a look at the Multiplexer module... I'm afraid that's not in the LGPL version of SideviewUtils though. In a nutshell, the Multiplexer module takes a search result and clones the XML tree below the Multiplexer for each search result.
Doc is here: http://yoursplunkhost:8000/en-US/app/sideview_utils/multiplexer1_intro

As an alternative, you can configure a Table module to render charts in its cells... not sure if that's supported by LGPL SidevieUtils.
Doc is here: http://yoursplunkhost:8000/en-US/app/sideview_utils/table4_embedding

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

You would use the Multiplexer module. Multiplexer is a very advanced module but here's what it does.

At Config Time: You give it one or more fields to look at and think about. You also give it a single branch of downstream modules. These might be just an HTML module, or might be a HiddenChartFormatter+JSChart, or a really complicated branch with inline drilldowns and form element modules.

At Runtime:
It looks at the current search results. For each row in the search results, it looks at the one or more fields you told it to look at. It clones its downstream config once per row, and sets the $field1$ and $field2$ tokens to be the field values from that results row.

Like all Sideview modules the Multiplexer module has a big documentation page within the app itself and it has a bunch of examples.

I recommend trying to make a datacube search if you can, so that you can use postProcess to carve up the results differently for each gauge, rather than dispatching one search for each guage. But you are free to do both. With the postprocess approach the Search will be upstream from the Multiplexer and a PostProcess module will be downstream. With the 'dispatch-a-search-for-every-row' approach you'll have a Search module downstream from the Multiplexer.

Multiplexer also works with the Pager module, and there's a whole example page about that. So if you have 10,000 things that all need their own fancy gauge, and you want the user to be able to sort and page through it, you can.

0 Karma

sideview
SplunkTrust
SplunkTrust

Sorry I didn't notice you'd tagged it with the old version. There aren't many holdouts using the old LGPL version - it's extremely out of date now. And the Table module isn't in there anyway. The Multiplexer module and the Table module with its embedding feature were developed at the same time in 2.X. Current Sideview Utils is 3.1.1

0 Karma

kmugglet
Communicator

Hi,
Thanks for your answer, it was a toss up as to who got the big tick 😉
The table module was easier for my purposes but as stated we currently use the LGPL version of SideView on our production boxes.

Thanks for the assistance.
Keith

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Take a look at the Multiplexer module... I'm afraid that's not in the LGPL version of SideviewUtils though. In a nutshell, the Multiplexer module takes a search result and clones the XML tree below the Multiplexer for each search result.
Doc is here: http://yoursplunkhost:8000/en-US/app/sideview_utils/multiplexer1_intro

As an alternative, you can configure a Table module to render charts in its cells... not sure if that's supported by LGPL SidevieUtils.
Doc is here: http://yoursplunkhost:8000/en-US/app/sideview_utils/table4_embedding

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There's many more awesome features in the current version (I should get an advertisement fee!), so upgrading - even to a paid license if you're not eligible for the free internal use license - only has upsides.

0 Karma

sideview
SplunkTrust
SplunkTrust

the Table module and the embedding feature Martin is talking about is only available in Sideview Utils 2.X and later. The very old LGPL doesn't have any of these features. Table Embedding and the Multiplexer module were developed and released concurrently.

0 Karma

kmugglet
Communicator

Hi Martin,
Thanks for the pointers.
The table module does exactly what I need, but as you say it's not available in the LGPL version, so I shall have to inquire as to why we don't use the new version.
I didn't get a chance to look through the multiplexer module (path of least resistance!)
Thanks, Keith

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...