Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get all events data for further processing?

fjp2485
Engager
‎06-03-2019 12:37 AM

Hi,

In our application we have to
1. visualize all events' data retrieved by the given search
2. And we have to use all events' data in further processing.
However in the <progress> and <done> events only the first event's data are accessible (in the $result.field$ tokens). I'm wondering why don't these tokens contain values of the current event. Could you tell me if is there a way to get all events' data for further processing?

Thanks in advance,
fjp2485

0 Karma
Reply

fjp2485
Engager
‎06-03-2019 08:35 AM

Hi Vatsal,

Thanks for your quick answer. That shows an interesting approach: to link a search to another one.
But I don't see that our task can be solved simply with such linked searches.
Let me explain our goal:

There are three search results on our dashboard.
1. The first one takes its input from XML files in subfolders of a given folder and shows the result in a table in increasing time order. (This search contains installation results overview.)
Then the user clicks on a column in this table. The drill down operation takes the subfolder of the selected item (installation duration and overall result) and initiates two other searches in that subfolder. In addition the clicked item shall be shown in a brighter color.
2-3. These searches run in the above mentioned subfolder and take their input from different XML files and show their contents (result of installation steps and result of system integration tests).

So far so good. See attached image

Now we have to make the drill down operation on the last item automatic: when the uppermost chart is displayed then the detailed results of the last item shall be shown without any user interaction in the lower two charts.

Now you can see why did I write that if progress events contained each result items fields then this task could be - relatively - easily accomplished.

With best regards,
fjp2485

Preview file
65 KB
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-03-2019 08:03 AM

Hi @fjp2485,

Check if basesearch works in your case!! Result of basesearch can be further processed in child search in the dashboard.

<form>
  <search id="Base_Search">
       <query>index=_internal | head 1000</query>
       <earliest>-24h@h</earliest>
       <latest>now</latest>
   </search>
   <row>
       <panel>
            <table>
                 <search base="Base_Search>
                       <query></query>
                  </search>
            </table>
        </panel>
    </row>
    <row>
       <panel>
            <chart>
                 <search base="Base_Search>
                       <query>| timechart count</query>
                  </search>
            </chart>
        </panel>
     </row>
</form>

Here in this example, it first panel (table) shows the output of basesearch and second panel (chart) further process it and shows timechart.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...