Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the statistics value of the search query in the dashboard along with search completed/finalize values

vikashperiwal
Path Finder
‎03-18-2020 09:47 PM

I am running my query and say total statistics returned is 3,00,000( returned 3,00,000 results ) and the search is completed.

How can i show the same statistics value and search completed in my dashboard as a indicator?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-19-2020 06:41 AM

hi @vikashperiwal,

You can use done element to set token with result count when search is completed/finalised. And use html to show the status like below.

<form>
  <init>
    <set token="statusMessage">Search is running...</set>
  </init>
  <label>Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <html>
      <h1>$statusMessage$</h1>
    </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Internal index data</title>
        <search>
          <query>index=_internal sourcetype=splunkd | table sourcetype source host</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <done>
            <set token="statusMessage">Search is completed. Event count: $job.resultCount$.</set>
          </done>
        </search>
        <option name="refresh.display">progressbar</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-19-2020 06:41 AM

hi @vikashperiwal,

You can use done element to set token with result count when search is completed/finalised. And use html to show the status like below.

<form>
  <init>
    <set token="statusMessage">Search is running...</set>
  </init>
  <label>Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <html>
      <h1>$statusMessage$</h1>
    </html>
  </row>
  <row>
    <panel>
      <table>
        <title>Internal index data</title>
        <search>
          <query>index=_internal sourcetype=splunkd | table sourcetype source host</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <done>
            <set token="statusMessage">Search is completed. Event count: $job.resultCount$.</set>
          </done>
        </search>
        <option name="refresh.display">progressbar</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

vikashperiwal
Path Finder
‎03-19-2020 08:58 AM

@manjunathmeti ... thanks, this is what i wanted.....

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-19-2020 07:31 AM

Since one of the answer is already posted I will just list the two possible approach i.e. using predefined job tokens and Splunk REST api to fetch job details.

alt text

Following is run anywhere example of both approach:

<dashboard>
  <label>Search Job Properties</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| top component</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <set token="tokSid">$job.sid$</set>
            <set token="tokEventCount">$job.eventCount$</set>
            <set token="tokscanCount">$job.scanCount$</set>
            <set token="tokrunDuration">$job.runDuration$</set>
          </done>
        </search>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>Option 1: Using <a href="https://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector#Search_job_properties" target="_blank">job predefined tokens:</a>
        </div>
        <div>This search has completed and has returned $tokEventCount$ results by scanning $tokscanCount$ events in $tokrunDuration$ seconds</div>
        <div>(SID: $tokSid$)</div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>Option 2: Using REST API <a href="https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D" target="_blank">search/jobs/{searchid}</a></div>
      </html>
      <table>
        <search>
          <query>| rest /servicesNS/-/-/search/jobs/$tokSid$
| fields scanCount resultCount runDuration
| eval result="This search has completed and has returned ".resultCount." results by scanning ".scanCount." events in ".runDuration." seconds;(SID: $tokSid$)"
| fields result
| makemv result delim=";"</query>
          <earliest>-1s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

vikashperiwal
Path Finder
‎03-19-2020 08:56 AM

hey @niketnilay ... its you again, i could just got the solution from one of your post earlier and was about to add that in the comment but thanks i wanted all the three attributes to show.....

This worked for me

         <set token="tokEventCount">$job.eventCount$</set>
         <set token="tokscanCount">$job.scanCount$</set>
         <set token="tokrunDuration">$job.runDuration$</set>
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-19-2020 10:16 PM

Great! Do read the documentation for all other attributes and REST API for alternative approach. Also up vote the comment/previous answer that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-19-2020 02:17 AM

try single value visualization

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...