- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create 2 or more dashboards in one panel?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have got logs as below:
Log1: Tue Aug 1 12:15:03 EDT 2023 10G 6.4G 64% /var
Log2: Tue Aug 1 12:15:03 EDT 2023 20G 5.9G 30% /opt
Log3: Tue Aug 1 12:15:02 EDT 2023 11G 7.2G 66% /uam
Log4: Tue Aug 1 12:15:02 EDT 2023 11G 7.2G 85% /mqr
Using below query, I created a pie chart for my dashboard:
**** | rex field=_raw "(?ms)]\|(?P<host>\w+\-\w+)\|"
| rex field=_raw "(?ms)]\|(?P<host>\w+)\|"
| rex field=_raw "\]\,(?P<host>[^\,]+)\," | rex field=_raw "\]\|(?P<host>[^\|]+)\|"
| rex field=_raw "(?ms)\|(?P<File_System>(\/\w+){1,5})\|" | rex field=_raw "(?ms)\|(?P<Disk_Usage>\d+)"
| rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%"
| rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)"
| regex _raw!="^\d+(\.\d+){0,2}\w"
| regex _raw!="/apps/tibco/datastore"
| rex field=_raw "(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\s\d"
| rex field=_raw "\[(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\]"
| rex field=_raw "(?ms)\d\s(?<Total>\d+(\.\d+){0,2})\w\s\d" | rex field=_raw "(?ms)G\s(?<Used>\d+(\.\d+){0,2})\w\s\d"
| eval Available=(Total-Used)
| lookup Environment_List.csv "host"
| search Environment="UAT"
| eval UAT=if(Disk_Usage <= 79, "Below80%", "Above80%")
| stats count by UAT
I have 3 other Environments (SIIT,DIT,DIT2), for which I created pie charts using above query and changing the environment name.
Now, I have got 4 pie charts in 4 separate panels in the dashboard. I need to get all the 4 pie charts in one panel and want to create drilldown from that panel. (something like shown in the attachment)
Please help to modify the query to get all the pie charts in one panel in the dashboard.
Your kind consideration is highly appreciated..!!
Thank You..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your existing query can work with some minor modifications.
**** | rex field=_raw "(?ms)]\|(?P<host>\w+\-\w+)\|"
| rex field=_raw "(?ms)]\|(?P<host>\w+)\|"
| rex field=_raw "\]\,(?P<host>[^\,]+)\," | rex field=_raw "\]\|(?P<host>[^\|]+)\|"
| rex field=_raw "(?ms)\|(?P<File_System>(\/\w+){1,5})\|" | rex field=_raw "(?ms)\|(?P<Disk_Usage>\d+)"
| rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%"
| rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)"
| regex _raw!="^\d+(\.\d+){0,2}\w"
| regex _raw!="/apps/tibco/datastore"
| rex field=_raw "(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\s\d"
| rex field=_raw "\[(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\]"
| rex field=_raw "(?ms)\d\s(?<Total>\d+(\.\d+){0,2})\w\s\d" | rex field=_raw "(?ms)G\s(?<Used>\d+(\.\d+){0,2})\w\s\d"
| eval Available=(Total-Used)
| lookup Environment_List.csv "host"
| eval usage_level=if(Disk_Usage <= 79, "Below80%", "Above80%")
| stats count by Environmant, usage_levelThen as @ITWhisperer mentioned, use Trellis mode to break the display into multiple pie charts.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your existing query can work with some minor modifications.
**** | rex field=_raw "(?ms)]\|(?P<host>\w+\-\w+)\|"
| rex field=_raw "(?ms)]\|(?P<host>\w+)\|"
| rex field=_raw "\]\,(?P<host>[^\,]+)\," | rex field=_raw "\]\|(?P<host>[^\|]+)\|"
| rex field=_raw "(?ms)\|(?P<File_System>(\/\w+){1,5})\|" | rex field=_raw "(?ms)\|(?P<Disk_Usage>\d+)"
| rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%"
| rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)"
| regex _raw!="^\d+(\.\d+){0,2}\w"
| regex _raw!="/apps/tibco/datastore"
| rex field=_raw "(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\s\d"
| rex field=_raw "\[(?P<Time>\w+\s\w+\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\]"
| rex field=_raw "(?ms)\d\s(?<Total>\d+(\.\d+){0,2})\w\s\d" | rex field=_raw "(?ms)G\s(?<Used>\d+(\.\d+){0,2})\w\s\d"
| eval Available=(Total-Used)
| lookup Environment_List.csv "host"
| eval usage_level=if(Disk_Usage <= 79, "Below80%", "Above80%")
| stats count by Environmant, usage_levelThen as @ITWhisperer mentioned, use Trellis mode to break the display into multiple pie charts.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richgalloway,
Thank you for your inputs..!! With the query you provided, I am now able to get the pie charts to one panel using trellis mode.
Your kind inputs are highly appreciated...!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Essentially, a panel has chart(s) serviced by one search query. However, for some chart types, including pie charts, there is a trellis mode which could give you the layout you are after.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer,
Thank you for your inputs..!! But for each pie chart I have got different queries and I will need to combine the queries into one so that I can use trellis mode and create all 4 pie charts in one panel.
Can you please help to modify the query so that I can use the trellis mode and achieve the required dashboard panel.
Thank you..!!
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
