Archive

Get multiple searches in one chart dynamically

Explorer

I have a line chart which has 10 lines, each produced by different search strings ( I have 10 search strings combined to form 1 search string using |appendcols ). I would like to have a checkbox to filter the lines on the chart. If i have to view line 1 and line 2, i should click on checkboxes line 1 , line2 and so on. is it possible to have filters each sub search strings. I am aware if we have 10 different dashboards, we can filter the panel based on the 'depends' command. I need all lines in one chart with filtering option, need not be checkbox, can be any other ways (can be multiselect drop down).

Tags (1)
0 Karma

Motivator

You can try the following code in your dashboard...

<panel>
 <input type="checkbox" token="showfields" searchWhenChanged="true">
  <label>Show fields in linechart</label>
  <choice value="field1">Show Field 1</choice>
  <choice value="field2">Show Field 2</choice>
  <choice value="field3">Show Field 3</choice>
  <prefix>fields </prefix>
 </input>
 <chart>
  <search>
   <query>your search here | $showfields$</query>
   .... more options ....
  </search>
 </chart>
</panel>

Of course you can use other input types (e.g. multiselect) for this. Just set the fields as token prefix and include the token in your search.
If you don't select any of the checkboxes the linechart will not show and splunk will display "search waiting for input" which is intended, as your linechart won't show any data if you have no lines selected.

0 Karma

SplunkTrust
SplunkTrust

@pprakash2... would you be able to add your current query... or mock up of existing query?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

One of the easiest way would be to use check box to build field - string for all series you don't want to see using change event handler.

| fields - field1, field2, field3

The same approach will be quite complicated if you do not want to perform appendcols at all. You will still have to set the appendcols query for each series you want to display based on check box checked.

We would like to see you sample mock data and query to assist you further, because 10 appendcols in the same query might silently drop events while correlating. So you should re-evaluate whether you really need appendcols or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

index=y host=x source="abc.log" sourcetype=xyz (tab="x" OR tab="y")

|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "A"

|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="d" OR tab="l")

|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "B"]

|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="m" OR tab="n")

|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "C"]

|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="p" OR tab="q")

|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "D"]

|appendcols [search index=y host=x source="abc.log" sourcetype=xyz (tab="r")

|timechart span=1mon first(p) by tab |addtotals |fields _time, Total |rename Total as "E"]

0 Karma

Explorer

i have 5 search queries as above, i would like to have filtering option on A, B,C, D,E. which are on same chart. is it possible?

0 Karma