Re: How to combine multiple single value queries a...

Mallik657 · ‎09-21-2022

Hi,

I am creating a single value panel with different search query for each. I want to combine all these values into a table, It should look like an excel table in the splunk dashboard.

My individual query for each single value wizard looks like below. I want to combine all these queries and form a table with values.

1. index=abcd laas_appID=xyz OSBUILD=Linux3.1 | where OSVendor="Redhat" | stats count by OSBUILD

2. index=abcd laas_appID=xyz OSBUILD=Linux3.2 | where OSVendor="Redhat" | stats count by OSBUILD

3. index=abcd laas_appID=xyz OSBUILD=Linux3.3 | where OSVendor="Redhat" | stats count by OSBUILD

4. index=abcd laas_appID=xyz OSBUILD=Linux3.1 | where OSVendor="Ubuntu" | stats count by OSBUILD

etc

5. index=abcd laas_appID=xyz OSBUILD=Linux3.1 | where OSVendor="Solaries" | stats count by OSBUILD

etc

Table shoud look Like the below in dashboard:

OS Type	Redhat	Ubuntu	Solaris
Linux 3.1	12	84	54
Linux 3.2	13	45	123
Linux 3.3	56	658	678

Mallik657 · ‎09-22-2022

@gcusello Actually its different search query. I have given it this way. But, I want to combine all single value queries to form a single table as pasted above just like an excel table. How can i do this?

I am new to splunk. No previous experience. I would like to know the exact answer for the above queries. so that i can copy the same with different values.

gcusello · ‎09-22-2022

Hi @Mallik657,

if you want a table like the one you shared, my solution is ok for you.

if instead you want a table of Single Value Panels, it's a longer job: in few words, you have to put in each row the single values from one search locating them.

You could find a useful help in Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) that explain how to use Single Value Panels.

In addition, beware because in this way, you'll have many searches almost identical, so you should use Post Process Search approach, that you can find still in the above App.

In few words, create a base serach (esecuted only one time) specialized in each panel.

Ciao.

Giuseppe

Mallik657 · ‎09-22-2022

@gcusello

Would you please provide the exact query formation from my individual queries to create a table from multiple single values.

I am a beginner here and no idea of what your trying to explain.

gcusello · ‎09-22-2022

Hi @Mallik657,

did you see the Splunk Dashboard Examples App I mentioned?

This app was done just for people without experiences in dashboarding.

In the Single Value element dashboard, you can see how to put in the same row more Single Value Panels.

You have to adapt this approach to your searches and make the same thing for each value of OS Type.

Then, when you created your table dashboard, you can see the second problem: too many searches in one dashboard make the dashboard too slow for working, the solution is Post Process Search.

About Post Process Search, in the Splunk Dashboard Examples App, in the Dashboard called Poste Process Search you have a description about how to implement this approach.

I could send you an example of an already done table of 5x5 Single Value Panels, but if you aren't able to see the Dashboard Examples App, it will not be useful.

So start to analyze and use the Splunk Dashboard Examples App to solve your problem and probably also others.

Ciao.

Giuseppe

gcusello · ‎09-21-2022

Hi @Mallik657,

at first don't use where or search command after the main search, put always them in the main search to have a quicker search.

Then, you can create one search grouping the conditions with the chart command, something like this:

index=abcd laas_appID=xyz OSBUILD=* OSVendor=*
| chart count OVER OSBUILD BY OSVendor

Ciao.

Giuseppe

How to combine multiple single value queries and create a table of values.

Dashboard Studio

panel

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!