Dashboards & Visualizations

Combining two results into one CSV file from Dashboard

earakam
Path Finder

Hi

I am trying to figure out this.

In dashboard, i have two different panels with different searches.
How can I combine those two results by clicking the "export" button on the bottom left to output as one CSV file.
I know that I can do this if i use CLI search or some scripts, but I specifically want to do this from UI in Dashboard.

Could someone help me with this?

Thank you.

Tags (1)
0 Karma
1 Solution

chimell
Motivator

Hi
If your xml code is like this:

<form>
   <label>Show Hide Using checkbox</label>
     <row>
     <panel>
       <table >
         <search>
           <query>index=_internal | stats c by sourcetype</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
       </table>
     </panel>
     <panel>
       <table >
         <search>
           <query>index=_internal | stats c by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
       </table>
     </panel>
   </row>
 </form>

I advise you firstly to combine your two searches in on search and use outputcsv command to export a result

index=_internal | stats c by sourcetype|appendcols[search index=_internal | stats c by host]|outputcsv myresult

Or secondly use this option in advance xml to export you result:

 <module name="Export"/>

View solution in original post

0 Karma

chimell
Motivator

Hi
If your xml code is like this:

<form>
   <label>Show Hide Using checkbox</label>
     <row>
     <panel>
       <table >
         <search>
           <query>index=_internal | stats c by sourcetype</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
       </table>
     </panel>
     <panel>
       <table >
         <search>
           <query>index=_internal | stats c by host</query>
           <earliest>-60m@m</earliest>
           <latest>now</latest>
         </search>
       </table>
     </panel>
   </row>
 </form>

I advise you firstly to combine your two searches in on search and use outputcsv command to export a result

index=_internal | stats c by sourcetype|appendcols[search index=_internal | stats c by host]|outputcsv myresult

Or secondly use this option in advance xml to export you result:

 <module name="Export"/>
0 Karma

earakam
Path Finder

thanks chimell!

0 Karma

chimell
Motivator

good thanks

0 Karma

chimell
Motivator

Hi
I forget to rename the second count c as c1 to make difference
use the following

 index=_internal | stats c by sourcetype|appendcols[search index=_internal | stats c as c1 by host]|outputcsv myresult
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...