Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Covert a Multi Panel Dashbaord into just three panels using dropdown aggregating data from multi sources ?

bapun18
Communicator
‎11-20-2019 03:19 AM

Hi Friends,
Please help me in building a dashboard query where i have to prepare a dashboard which should populate events for 3 Sources Suppose A,B and C with each ingesting 3 data types like Android ,IOS and JSON.

So I want to calculate Event Count , Size Count and show the ingested data in panel just by selecting Android ,IOS and JSON from one dropdown and selecting sources either A,B or C from From another.

For Example,
If i select B source from input drop down and IOS from another drop down then it should show me the event count and Size Count for Source-B IOS data in the below two panel one showing Size count and the other showing Size count.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 05:16 AM

Hi @bapun18,
what do you mean with "dashboard query for the specific panels"?
in each panel you can find the search of that panel between the tags <query> and </query> , e.g. the search for the first Single Value panel is:

index=_internal $name$ $component$
| stats sum(ratio) AS ratio
| eval ratio=round(ratio,2)

where $name$ $component$ are the tokens from the dropdowns.

In this dashboard, you can see how to create the dropdowns and how to use them to filter searches in panels.

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 03:43 AM

Hi @bapun18
see in the below example, you can find: two dropdowns, two single values and a table.
You can replace my fields name, component and group with your fields (source, type and model) 

<form>
  <label>test dropdowns</label>
  <fieldset submitButton="false">
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="name">
      <label>Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>name="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>name</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup name
          | sort name
          | table name
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
    <input type="dropdown" token="component">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>component="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup component
          | sort component
          | table component
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Sum</title>
      <single>
        <search>
          <query>
            index=_internal $name$ $component$
            | stats sum(ratio) AS ratio
            | eval ratio=round(ratio,2)
            </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>Count</title>
      <single>
        <search>
          <query>index=_internal $name$ $component$
            | stats count</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Values for Name</title>
      <table>
        <search>
          <query>index=_internal $name$ $component$
            | stats sum(ratio) AS ratio count AS Count BY group
            | eval ratio=round(ratio,2)</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Ciao.
Giuseppe

0 Karma
Reply

bapun18
Communicator
‎11-20-2019 05:09 AM

Hi gcusello ,
Thanks a lot for sharing the Xml code.
It would be great if you could share your the dashboard query for the specific panels.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...