Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard Studio | Performing Calculations With Values Across Multiple Panels/Queries

victorcorrea
Path Finder
‎02-10-2025 08:08 AM

Hi all,

I am trying to figure out a way to, based on the data available in the table below, add a column to the Yesterday and Last Week's tables with the delta between the values:

victorcorrea_0-1739203238251.png

The queries in the panels are simple stats counts grouped by Site (BDC or SOC) with the addtotals command specified.

To display the values for yesterday and last week I am using time shifts within the query. As an example, this is the "yesterday's" timeshift:

 [|  makeresults
 | addinfo
    |  eval earliest=info_min_time - 86400
    |  eval latest=info_max_time - 86400
  |  table earliest latest]

 I need to add a column in both the Yesterday and LastWeek's tables that shows the volume's delta in comparison with Today.

I am trying to pass the results of the first query as a token so I can reference it in the other queries and use eval to calculate the delta, but I can't make it work.

This is the line I have added to the JSON to pass the result as a token:

       "eventHandlers": [
            {
                "type": "action.setToken",
                "options": {
                    "tokens": {
                        "todayVolume": "$result.Count$"
                    }
                }
            }
       ],

 When I try this approach, Splunk complains about the token "$result.Count$" hasn't been set.

I was also exploring the idea of using chain searches, but I think Dynamic Tokens are a cleaner more efficient solution.

I'd appreciate if I could some assistance with figuring this out.

Thank you in advance.

Labels (4)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-10-2025 08:26 AM

Instead of using event handlers to set tokens, I recommend using a base search and subsearches for a more robust solution. Here's an approach you could consider:

1. Create a base search that calculates the counts for today, yesterday, and last week in one go.
2. Use subsearches in your dashboard panels to reference the results from this base search.

Here's an example of how you might structure the base search (I havent tested this, but hopefully you can apply to your environment):

| makeresults
| eval _time=now()
| map search="search [your original search here] earliest=-1d | stats count by Site | eval period=\"today\""
| append [| map search="search [your original search here] earliest=-2d latest=-1d | stats count by Site | eval period=\"yesterday\""]
| append [| map search="search [your original search here] earliest=-8d latest=-7d | stats count by Site | eval period=\"lastweek\""]
| stats latest(count) as count by Site, period
| transpose column_name=period header_field=Site

 

Then, in your dashboard panels, you can use subsearches to reference this base search and calculate the deltas:

| eval delta_yesterday = today - yesterday
| eval delta_lastweek = today - lastweek

This approach eliminates the need for complex token manipulation and provides a more straightforward way to calculate and display the deltas you need.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...