Dashboards & Visualizations

Dependent date on charts

shuaiscottusaa
Engager

I was trying to build a dashboard that displayed data in a table for a certain date and also display the same table layout for a date 7 days behind.

Is there a way to show both tables with only one TimeRangePicker?

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

You can use appendcols in your search:

Here's an example to show disk usage -18h@h - 16h@h ago to disk usage -2h@h - @h.

sourcetype="*disk*" counter="% Free Space" NOT _Total earliest="-18h@h" latest="-16h@h"|eval "NewValue"=round(Value,0)| stats min("NewValue") by host|rename host as Hostname min(NewValue) as "Percent Free -18h@h - -16h@h"| appendcols[search sourcetype="*disk*" counter="% Free Space" NOT _Total earliest="-2h@h" latest="@h"|eval "NewValue1"=round(Value,0)| stats min("NewValue1") by host|rename host as Hostname min(NewValue1) as "Percent Free -2h@h - @h"] Only make your appendcols search the constant and your 1st search the dynamic one to be changed by TimeRangePicker.

Here's an example advanced xml snippet:

<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="GroupName" autoRun="True">
<param name="search">sourcetype="*disk*" counter="% Free Space" NOT _Total 
|eval "NewValue"=round(Value,0)
|stats min("NewValue") by host
|rename host as Hostname min(NewValue) as "Percent Free -18h@h - -16h@h"
|appendcols[search sourcetype="*disk*" counter="% Free Space" NOT _Total earliest="$1$" latest="$2$"
|eval "NewValue1"=round(Value,0)
|stats min("NewValue1") by host
|rename host as Hostname min(NewValue1) as "Percent Free $1$ - $2$"]</param>

<param name="groupLabel">SMTP Search</param>
<module name="ViewstateAdapter">

<module name="TimeRangePicker">
    <param name="default">Last 7 days</param>
    <param name="searchWhenChanged">True</param>
<module name="ExtendedFieldSearch">
  <param name="field">Keyword 1</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
        <param name="1">
            <param name="fillOnEmpty">True</param>
            <param name="value"></param>
        </param>
    </param>
  </param>
  <param name="replacementMap">
    <param name="arg">
      <param name="1">
          <param name="value">Default Earliest Time</param>
      </param>
    </param>
  </param>
    <module name="ExtendedFieldSearch">
  <param name="field">Keyword 2</param>
  <param name="intention">
    <param name="name">stringreplace</param>
    <param name="arg">
        <param name="1">
            <param name="fillOnEmpty">True</param>
            <param name="value"></param>
        </param>
    </param>
  </param>
  <param name="replacementMap">
    <param name="arg">
      <param name="2">
          <param name="value">Default Latest Time</param>
      </param>
    </param>
  </param>
  <param name="replacementMap">
    <param name="arg">
      <param name="3">
          <param name="value"></param>
      </param>
    </param>
  </param>
    <module name="ViewRedirectorLink">
        <param name="viewTarget">flashtimeline</param>
    </module>
</module>
</module>
</module>
</module>
</module>
0 Karma

jkat54
SplunkTrust
SplunkTrust

Updated above, but please note in the advanced xml search string you cant use <>@ etc. You want to use & lt; & gt; & amp; (without spaces)

0 Karma

jkat54
SplunkTrust
SplunkTrust

Will it always be 7 days apart? If so just -7d on the appendcols.

0 Karma

shuaiscottusaa
Engager

The 1st one changes just fine this way, however both need to be dynamic. The second one needs to be changed dynamically too based on the first one.

For example, I choose the 24th of May for the first table, I want the second table to automatically choose the 17th of May.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...