- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Get multiple searches in one chart dynamically
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get multiple searches in one chart dynamically
I have a line chart which has 10 lines, each produced by different search strings ( I have 10 search strings combined to form 1 search string using |appendcols ). I would like to have a checkbox to filter the lines on the chart. If i have to view line 1 and line 2, i should click on checkboxes line 1 , line2 and so on. is it possible to have filters each sub search strings. I am aware if we have 10 different dashboards, we can filter the panel based on the 'depends' command. I need all lines in one chart with filtering option, need not be checkbox, can be any other ways (can be multiselect drop down).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try the following code in your dashboard...
<panel>
<input type="checkbox" token="showfields" searchWhenChanged="true">
<label>Show fields in linechart</label>
<choice value="field1">Show Field 1</choice>
<choice value="field2">Show Field 2</choice>
<choice value="field3">Show Field 3</choice>
<prefix>fields </prefix>
</input>
<chart>
<search>
<query>your search here | $showfields$</query>
.... more options ....
</search>
</chart>
</panel>
Of course you can use other input types (e.g. multiselect) for this. Just set the fields as token prefix and include the token in your search.
If you don't select any of the checkboxes the linechart will not show and splunk will display "search waiting for input" which is intended, as your linechart won't show any data if you have no lines selected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pprakash2... would you be able to add your current query... or mock up of existing query?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of the easiest way would be to use check box to build field - string for all series you don't want to see using change event handler.
| fields - field1, field2, field3
The same approach will be quite complicated if you do not want to perform appendcols at all. You will still have to set the appendcols query for each series you want to display based on check box checked.
We would like to see you sample mock data and query to assist you further, because 10 appendcols in the same query might silently drop events while correlating. So you should re-evaluate whether you really need appendcols or not.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=y host=x source="abc.log" sourcetype=xyz (tab="x" OR tab="y")
|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "A"
|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="d" OR tab="l")
|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "B"]
|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="m" OR tab="n")
|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "C"]
|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="p" OR tab="q")
|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "D"]
|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="r")
|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "E"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have 5 search queries as above, i would like to have filtering option on A, B,C, D,E. which are on same chart. is it possible?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
