loop to create new dashboard panels

codedtech · ‎08-30-2019

I have a list of 51 locations, and I want to create dashboard that displays the results of the query below in a separate panel for each site.

index= index cluster=""site=""| bin _time span=1d|eval time=(time)|eventstats sum(dscapacityGB) as capacity sum(dsfreeGB) as free sum(dsgarbageGB) as garbage sum(vmdkallocGB) as vmdkallocated sum(vmdkusedGB) as vmdkused by cluster, _time|eval allocated = round((capacity),2)|eval utilization= round(((vmdkused+garbage)-capacity),2)|chart sum(allocated) as allocated avg(capacity) as capacity by site|eval capacity=round(capacity,2)|eval allocated=round(allocated,2)

I could do this manually, but I wanted to know if there was a for loop that can do it for me.

jpolvino · ‎08-30-2019

I'm not aware of a loop feature, but when faced with this challenge, I've gone into the XML itself and copied the row blocks over and over.

  <row>
    <panel>
      <table>
        <title>Sunday</title>
        <search>
          <query>(your search)</query>
          <earliest>-6w@w</earliest>
          <latest>@w-1s</latest>
        </search>
        <format type="color" field="Duration">
          <colorPalette type="minMidMax" minColor="#FFFFFF" maxColor="#6A5C9E"></colorPalette>
          <scale type="minMidMax"></scale>
        </format>
      </table>
    </panel>
</row>

Then it's just a matter of find/replace.

You may want to consider grouping data into panels. Having 51 distinct panels may exceed the number of concurrent searches and perform slowly. Or have a drop-down to select the site. Yet another option is to have each one set up as a scheduled report, and then use those reports in the single big dashboard.

loop to create new dashboard panels

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation