Create two visualizations from same data set in a ...

kentont1 · ‎02-17-2021

I have a search query that returns a list of transactions and their times. I've used that to create two kinds of visualizations: a timechart showing fluctuations over time and single value gauges showing summary values for the time period. In my dashboard, I have these as two separate panels, which I assume results in two separate queries for the same dataset, which seems like a waste of resources.... Is there a way for two visualizations to reference the same data set?

BTW, I assume that something like this is possible using Splunk datasets, but I don't believe my admin has given me permission to generate them 😞 So is there any way of doing this just within the dashboard itself without using datasets?

adityakhetan · ‎02-17-2021

You can use base search in your dashboard. In that case your query will run only once.

<dashboard>
<label>NAME</lbael>
<search id="baseSearch">
    <query>
       index=xyz sourcetype=abc ....
    </query>
</search>
<row>
    <panel>
      <chart>
        <title>PANEL 1</title>
        <search base="baseSearch">
          <query>
            | timechart .....
          </query>
        </search>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Panel 2</title>
        <search base="baseSearch">
          <query>
            | stats count ....
          </query>
        </search>
      </chart>
    </panel>
  </row>
</dashboard>

So your search will run once and transforming commands on the result set will be applied in each panel.

Create two visualizations from same data set in a dashboard

panel

table

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM