Dashboards & Visualizations

How to combine multiple single value queries and create a table of values.

Mallik657
Explorer

Hi,

I am creating a single value panel with different search query for each. I want to combine all these values into a table, It should look like an excel table in the splunk dashboard.

My individual query for each single value wizard looks like below. I want to combine all these queries and form a table with values.

1. index=abcd laas_appID=xyz OSBUILD=Linux3.1 | where OSVendor="Redhat" | stats count by OSBUILD

2. index=abcd laas_appID=xyz OSBUILD=Linux3.2 | where OSVendor="Redhat" | stats count by OSBUILD

3. index=abcd laas_appID=xyz OSBUILD=Linux3.3 | where OSVendor="Redhat" | stats count by OSBUILD

4. index=abcd laas_appID=xyz OSBUILD=Linux3.1 | where OSVendor="Ubuntu" | stats count by OSBUILD

etc

5. index=abcd laas_appID=xyz OSBUILD=Linux3.1 | where OSVendor="Solaries" | stats count by OSBUILD

etc

Table shoud look Like the below in dashboard:

OS Type RedhatUbuntuSolaris
Linux 3.1128454
Linux 3.21345123
Linux 3.356658678
Labels (2)
0 Karma

Mallik657
Explorer

@gcusello  Actually its different search query. I have given it this way. But, I want to combine all single value queries to form a single table as pasted above just like an excel table. How can i do this?

 

I am new to splunk. No previous experience.  I would like to know the exact answer for the above queries. so that i can copy the same with different values.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mallik657,

if you want a table like the one you shared, my solution is ok for you.

if instead you want a table of Single Value Panels, it's a longer job: in few words, you have to put in each row the single values from one search locating them.

You could find a useful help in Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) that explain how to use Single Value Panels.

In addition,  beware because in this way, you'll have many searches almost identical, so you should use Post Process Search approach, that you can find still in the above App.

In few words, create a base serach (esecuted only one time) specialized in each panel.

Ciao.

Giuseppe

Tags (1)
0 Karma

Mallik657
Explorer

@gcusello 

 

Would you please provide the exact query formation from my individual queries to create a table from multiple single values.

I am a beginner here and no idea of what your trying to explain.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mallik657,

did you see the Splunk Dashboard Examples App I mentioned?

This app was done just for people without experiences in dashboarding.

In the Single Value element dashboard, you can see how to put in the same row more Single Value Panels.

You have to adapt this approach to your searches and make the same thing for each value of OS Type.

Then, when you created your table dashboard, you can see the second problem: too many searches in one dashboard make the dashboard too slow for working, the solution is Post Process Search.

About Post Process Search, in the Splunk Dashboard Examples App, in the Dashboard called Poste Process Search you have a description about how to implement this approach.

I could send you an example of an already done table of 5x5 Single Value Panels, but if you aren't able to see the Dashboard Examples App, it will not be useful.

So start to analyze and use the Splunk Dashboard Examples App to solve your problem and probably also others.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mallik657,

at first don't use where or search command after the main search, put always them in the main search to have a quicker search.

Then, you can create one search grouping the conditions with the chart command, something like this:

index=abcd laas_appID=xyz OSBUILD=* OSVendor=*
| chart count OVER OSBUILD BY OSVendor

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...