Dashboards & Visualizations

How to add 2 similiar reports to a dashboard without having to run both of them?

a212830
Champion

Hi,

I'm setting up some license dashboards for customers. The dashboard will contain sourcetype usage over the past 30 days, showing both an areachart and a stats table. The area chart shows the top 10 sourcetypes, along with the pool size, which works fine. To add the stats table, I used the existing report from above, and changed visualization to stats table. But now, I want to remove the pool size, and want to change the sort order to be by date in desc order. How can I do that without creating a whole new search/report? Is that possible? These are scheduled reports, btw...

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@a212830 - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma

sloshburch
Ultra Champion

Since we now have two answers suggesting using post-processing and a base search, I figure I might as well muddy the waters and add a third! (Redundant? Redundant.)

The only difference is that I'd like to highlight that the base search in the post process can still call your savedsearch with the savedsearch spl command! So you can keep it a savedsearch but have it used and loaded only once on the page but influence several dashboards.
The catch here is that you'd have to make the savedsearch act almost like a summary index in that it only returns the least common data set of results that you can then transform (with the charts, stats, whatever) in the respective panels.

Coffee still soaking in so lemme know if that is too abstract and doesn't make sense.

0 Karma

niketn
Legend

If you reverse the time you might not be able to display the same on timechart on a chart visualization (you will have to format time to mm/dd/yyyy or Date only to plot on x-axis). Meanwhile you can try something like the following for post processing:

  <row>
    <panel>
      <chart>
        <search id="baseSearch">
          <query>Your Current Query goes here</query>
          <earliest>-30d@d</earliest>
          <latest>-0d@d</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.nullValueMode">connect</option>
        <option name="charting.chart.overlayFields">"stack size"</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search base="baseSearch">
          <query>reverse 
| fieldformat _time=strftime(_time,"%d/%m/%Y")
| table _time volume</query>
        </search>
      </table>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mattymo
Splunk Employee
Splunk Employee

You can look at the concept of using a base search. Essentially one search runs and multiple panels reference that search.

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches

Just be sure to note the post-processing limitations as well as the notes on performance in standalone vs distributed environments

- MattyMo

niketn
Legend

Would it be possible for you to share your existing query/sample? Are you using prebuilt panel?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

a212830
Champion

It's a scheduled report, not an inline search. Here's the search from the report:

index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx  | search pool="FMD License" | timechart span=1d sum(b) AS volumeB by idx fixedrange=false  | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d  | search pool="FMD License" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...