Let's assume, I am having two panels - PanelA, PanelB in my dashboard. I want to filter my PanelB results based on the PanelA results.
PanelA:
TrainType Count
TrainA 10
TrainB 10
TrainC 10
TrainD 10
PanelB:
TrainType Status
TrainA Active
TrainD Inactive
TrainN Active
TrainB Active
TrainK Inactive
TrainT Active
TrainJ Inactive
In the above results, for Panel2, I need to display only the trains which are available in Panel1.
I have tried to store the Panel1 results in token as a table and use it in Panel2 as follows:
<done>
<set token="result">
<search>
<query>
stats list(TrainType) as TrainType by _time | makemv TrainType delim="," | table TrainType
</query>
</search>
</set>
</done>
But I do not how to use it Panel2. Please suggest how this can be done.
Note: I want to do this automatically when the Panel1 gets loaded.
Hi,
a little question: do you want to filter panel 2 events after a click on a row of Panel 1 or do you want to filter panel 2 with all the results of Panel1?
If the first one, see Splunk 7.x Dashboard Examples app, there an example of drilldown in the same dashboard.
If the second one, put Panel 1 search as subsearch in Panel 2 search, something like this:
my_search1 [ search my_search2 | dedup TrainType | fields TrainType ]
| ....
you have only to check that TrainType name field is the same in both the searches and that there isn't case differences in TrainType field.
Bye.
Giuseppe
@Naren26, There could be various ways of doing this however, the best option would be based on what you are doing at present (without the filter in 2nd panel from the results of first panel). So, Can you add the query for your sample results you have put here in question (both for Panel 1 and Panel 2)? Are TrainType
and Status
fields available in your raw events?
Please find the below XML:
<row>
<panel>
<title>PanelA</title>
<event>
<search>
<query>*mysearch | stats list(traintype) as TrainType</query>
<earliest>-30m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<done>
<set token="result">
<search>
<query>
stats list(TrainType) as TrainType by _time | makemv TrainType delim="," | table TrainType
</query>
</search>
</set>
</done>
</search>
<option name="count">10</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
<row>
<panel>
<title>PanelB</title>
<event>
<search>
<query>*mysearch | stats list(traintype) as TrainType | where TrainType in($result$)</query>
<earliest>-30m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
Note: Both TrainType
and Status
are available in raw events
Hi
Can you please check dashboard code??
<dashboard>
<label>Dependent Panel Result</label>
<search base="mainSearch">
<query> eval sourcetype="sourcetype=".sourcetype | stats delim=" OR " values(sourcetype) as sourcetype | mvcombine sourcetype | eval sourcetype=" (".sourcetype.")"
</query>
<done>
<set token="selectedsourcetype">$result.sourcetype$</set>
</done>
</search>
<row>
<panel>
<table>
<title>Main Panel</title>
<search id="mainSearch">
<query>index=_internal sourcetype=splunk* | stats count by sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Dependent Panel $selectedsourcetype$</title>
<search>
<query>index=_internal $selectedsourcetype$ | stats count by sourcetype</query>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
Here I have used dummy search. But don't worry It will work for you.
There are 2 panels. Main Panel & Dependent Panel.
I have made Main Panel search as base search and an additional search defined which will create a condition for Dependent Panel.
Please execute XML code and try to put your search into it for verification.
I hope this will help you.
Happy Splunking
Hi,
a little question: do you want to filter panel 2 events after a click on a row of Panel 1 or do you want to filter panel 2 with all the results of Panel1?
If the first one, see Splunk 7.x Dashboard Examples app, there an example of drilldown in the same dashboard.
If the second one, put Panel 1 search as subsearch in Panel 2 search, something like this:
my_search1 [ search my_search2 | dedup TrainType | fields TrainType ]
| ....
you have only to check that TrainType name field is the same in both the searches and that there isn't case differences in TrainType field.
Bye.
Giuseppe
I could able to fetch the results with following query:
my_search1 [ search my_search2 | dedup TrainType | fields TrainType ]
Thanks.
I want to filter Panel2 with results of Panel1, without any user events.
In my above second solution, you filter Panel2 events with Panel1 results.
Check that TrainType name field is the same in both the searches and that there isn't any case difference in TrainType field.
Bye.
Giuseppe
I have tried the above mentioned solution. But I could not able to fetch the results. Below is the code:
index=my_index message=msgA | stats values(trainType) as TrainType by _time [search index=my_index message=msgB | stats values(trainType) as TrainType by _time ]
What am I doing wrong here?