Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Covert a Multi Panel Dashbaord into just three panels using dropdown aggregating data from multi sources ?

bapun18
Communicator
‎11-20-2019 03:19 AM

Hi Friends,
Please help me in building a dashboard query where i have to prepare a dashboard which should populate events for 3 Sources Suppose A,B and C with each ingesting 3 data types like Android ,IOS and JSON.

So I want to calculate Event Count , Size Count and show the ingested data in panel just by selecting Android ,IOS and JSON from one dropdown and selecting sources either A,B or C from From another.

For Example,
If i select B source from input drop down and IOS from another drop down then it should show me the event count and Size Count for Source-B IOS data in the below two panel one showing Size count and the other showing Size count.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 05:16 AM

Hi @bapun18,
what do you mean with "dashboard query for the specific panels"?
in each panel you can find the search of that panel between the tags <query> and </query> , e.g. the search for the first Single Value panel is:

index=_internal $name$ $component$
| stats sum(ratio) AS ratio
| eval ratio=round(ratio,2)

where $name$ $component$ are the tokens from the dropdowns.

In this dashboard, you can see how to create the dropdowns and how to use them to filter searches in panels.

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 03:43 AM

Hi @bapun18
see in the below example, you can find: two dropdowns, two single values and a table.
You can replace my fields name, component and group with your fields (source, type and model) 

<form>
  <label>test dropdowns</label>
  <fieldset submitButton="false">
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="name">
      <label>Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>name="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>name</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup name
          | sort name
          | table name
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
    <input type="dropdown" token="component">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>component="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup component
          | sort component
          | table component
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Sum</title>
      <single>
        <search>
          <query>
            index=_internal $name$ $component$
            | stats sum(ratio) AS ratio
            | eval ratio=round(ratio,2)
            </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>Count</title>
      <single>
        <search>
          <query>index=_internal $name$ $component$
            | stats count</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Values for Name</title>
      <table>
        <search>
          <query>index=_internal $name$ $component$
            | stats sum(ratio) AS ratio count AS Count BY group
            | eval ratio=round(ratio,2)</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Ciao.
Giuseppe

0 Karma
Reply

bapun18
Communicator
‎11-20-2019 05:09 AM

Hi gcusello ,
Thanks a lot for sharing the Xml code.
It would be great if you could share your the dashboard query for the specific panels.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...