Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Covert a Multi Panel Dashbaord into just three panels using dropdown aggregating data from multi sources ?

bapun18
Communicator
‎11-20-2019 03:19 AM

Hi Friends,
Please help me in building a dashboard query where i have to prepare a dashboard which should populate events for 3 Sources Suppose A,B and C with each ingesting 3 data types like Android ,IOS and JSON.

So I want to calculate Event Count , Size Count and show the ingested data in panel just by selecting Android ,IOS and JSON from one dropdown and selecting sources either A,B or C from From another.

For Example,
If i select B source from input drop down and IOS from another drop down then it should show me the event count and Size Count for Source-B IOS data in the below two panel one showing Size count and the other showing Size count.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 05:16 AM

Hi @bapun18,
what do you mean with "dashboard query for the specific panels"?
in each panel you can find the search of that panel between the tags <query> and </query> , e.g. the search for the first Single Value panel is:

index=_internal $name$ $component$
| stats sum(ratio) AS ratio
| eval ratio=round(ratio,2)

where $name$ $component$ are the tokens from the dropdowns.

In this dashboard, you can see how to create the dropdowns and how to use them to filter searches in panels.

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 03:43 AM

Hi @bapun18
see in the below example, you can find: two dropdowns, two single values and a table.
You can replace my fields name, component and group with your fields (source, type and model) 

<form>
  <label>test dropdowns</label>
  <fieldset submitButton="false">
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="name">
      <label>Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>name="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>name</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup name
          | sort name
          | table name
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
    <input type="dropdown" token="component">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>component="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup component
          | sort component
          | table component
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Sum</title>
      <single>
        <search>
          <query>
            index=_internal $name$ $component$
            | stats sum(ratio) AS ratio
            | eval ratio=round(ratio,2)
            </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>Count</title>
      <single>
        <search>
          <query>index=_internal $name$ $component$
            | stats count</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Values for Name</title>
      <table>
        <search>
          <query>index=_internal $name$ $component$
            | stats sum(ratio) AS ratio count AS Count BY group
            | eval ratio=round(ratio,2)</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Ciao.
Giuseppe

0 Karma
Reply

bapun18
Communicator
‎11-20-2019 05:09 AM

Hi gcusello ,
Thanks a lot for sharing the Xml code.
It would be great if you could share your the dashboard query for the specific panels.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...