Dashboards & Visualizations

Covert a Multi Panel Dashbaord into just three panels using dropdown aggregating data from multi sources ?

bapun18
Communicator

Hi Friends,
Please help me in building a dashboard query where i have to prepare a dashboard which should populate events for 3 Sources Suppose A,B and C with each ingesting 3 data types like Android ,IOS and JSON.

So I want to calculate Event Count , Size Count and show the ingested data in panel just by selecting Android ,IOS and JSON from one dropdown and selecting sources either A,B or C from From another.

For Example,
If i select B source from input drop down and IOS from another drop down then it should show me the event count and Size Count for Source-B IOS data in the below two panel one showing Size count and the other showing Size count.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bapun18,
what do you mean with "dashboard query for the specific panels"?
in each panel you can find the search of that panel between the tags <query> and </query> , e.g. the search for the first Single Value panel is:

index=_internal $name$ $component$
| stats sum(ratio) AS ratio
| eval ratio=round(ratio,2)

where $name$ $component$ are the tokens from the dropdowns.

In this dashboard, you can see how to create the dropdowns and how to use them to filter searches in panels.

Ciao.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bapun18
see in the below example, you can find: two dropdowns, two single values and a table.
You can replace my fields name, component and group with your fields (source, type and model)

<form>
  <label>test dropdowns</label>
  <fieldset submitButton="false">
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="name">
      <label>Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>name="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>name</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup name
          | sort name
          | table name
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
    <input type="dropdown" token="component">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>component="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup component
          | sort component
          | table component
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Sum</title>
      <single>
        <search>
          <query>
            index=_internal $name$ $component$
            | stats sum(ratio) AS ratio
            | eval ratio=round(ratio,2)
            </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>Count</title>
      <single>
        <search>
          <query>index=_internal $name$ $component$
            | stats count</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Values for Name</title>
      <table>
        <search>
          <query>index=_internal $name$ $component$
            | stats sum(ratio) AS ratio count AS Count BY group
            | eval ratio=round(ratio,2)</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Ciao.
Giuseppe

0 Karma

bapun18
Communicator

Hi gcusello ,
Thanks a lot for sharing the Xml code.
It would be great if you could share your the dashboard query for the specific panels.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...