Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Covert a Multi Panel Dashbaord into just three panels using dropdown aggregating data from multi sources ?

bapun18
Communicator
‎11-20-2019 03:19 AM

Hi Friends,
Please help me in building a dashboard query where i have to prepare a dashboard which should populate events for 3 Sources Suppose A,B and C with each ingesting 3 data types like Android ,IOS and JSON.

So I want to calculate Event Count , Size Count and show the ingested data in panel just by selecting Android ,IOS and JSON from one dropdown and selecting sources either A,B or C from From another.

For Example,
If i select B source from input drop down and IOS from another drop down then it should show me the event count and Size Count for Source-B IOS data in the below two panel one showing Size count and the other showing Size count.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 05:16 AM

Hi @bapun18,
what do you mean with "dashboard query for the specific panels"?
in each panel you can find the search of that panel between the tags <query> and </query> , e.g. the search for the first Single Value panel is:

index=_internal $name$ $component$
| stats sum(ratio) AS ratio
| eval ratio=round(ratio,2)

where $name$ $component$ are the tokens from the dropdowns.

In this dashboard, you can see how to create the dropdowns and how to use them to filter searches in panels.

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-20-2019 03:43 AM

Hi @bapun18
see in the below example, you can find: two dropdowns, two single values and a table.
You can replace my fields name, component and group with your fields (source, type and model) 

<form>
  <label>test dropdowns</label>
  <fieldset submitButton="false">
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="name">
      <label>Name</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>name="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>name</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup name
          | sort name
          | table name
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
    <input type="dropdown" token="component">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>component="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>
          index=_internal
          | dedup component
          | sort component
          | table component
          </query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Sum</title>
      <single>
        <search>
          <query>
            index=_internal $name$ $component$
            | stats sum(ratio) AS ratio
            | eval ratio=round(ratio,2)
            </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>Count</title>
      <single>
        <search>
          <query>index=_internal $name$ $component$
            | stats count</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Values for Name</title>
      <table>
        <search>
          <query>index=_internal $name$ $component$
            | stats sum(ratio) AS ratio count AS Count BY group
            | eval ratio=round(ratio,2)</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Ciao.
Giuseppe

0 Karma
Reply

bapun18
Communicator
‎11-20-2019 05:09 AM

Hi gcusello ,
Thanks a lot for sharing the Xml code.
It would be great if you could share your the dashboard query for the specific panels.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...