Dashboards & Visualizations

How to merge two dashboards into one?

swetar
New Member

Hi,

There are two graphs, each showing status of two instances. I wanted to merge both graphs into one.
Both have the same source type and index. Can anyone suggest on this?

Thanks
alt text

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

As well as _time, you have two different dimensions, the instance number and the various readings, so you're probably better off just putting two separate panels on the same dash. Timechart doesn't handle multiple dimensions that well, so you'd end up with the individual lines being "instance1 - cpu", "instance2 - cpu" and so on, which isn't very readable.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

As well as _time, you have two different dimensions, the instance number and the various readings, so you're probably better off just putting two separate panels on the same dash. Timechart doesn't handle multiple dimensions that well, so you'd end up with the individual lines being "instance1 - cpu", "instance2 - cpu" and so on, which isn't very readable.

0 Karma

swetar
New Member

Thanks for your reply. I was able to merge both the chart in the following way..
SPL side# Sourcetype1 appendcols [search sourcetype2
then I used chart overlay to overlap both of them.alt text

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@swetar - appendcols is going to fail the moment that either query returns a different number of results. If you provide the underlying searches, then we can help you merge them in a way that will work in all scenarios.

In general, you want to aim for

(index=foo1 sourcetype=bar whatever other search terms)
OR
(index=foo2 sourcetype=baz whatever other search terms)
| fields  ... list all the fields you want to keep ...
| eval fields1 = create  any fields you need to calculate 
| timechart span=15m 
  count as nameOfFirstLine
  sum(somefield) as nameOfSecondLine    
  aggregatefunction(fields) as nameOfThirdLine
  aggregatefunction(fields) as nameOfFourthLine

The above should work under all cases,as long as the aggregate functions are operating on fields that will only be in the relevant events. You can control that either by building new fields that only exist on the right kind of record, or by using an eval in the aggregate function... which is an advanced method of coding that you may want to avoid for now.

0 Karma

swetar
New Member

@DalJeanis I m using the below SPL and its working fine ..:)

sourcetype="oracle_sourcetype1XXXXXX" | eval V_INST_NAME= case(INST_ID=="1","test1",INST_ID=="2","test2")
| where like (V_INST_NAME,"%")
|timechart span=10m first(P_COUNT) as PQ by INST_ID |rename 1 as "Parallel Count for test1" 2 as "Parallel Count for test2"
| filldown
| appendcols
[search sourcetype = oracle_sourcetype2YYYYYYY | eval V_INST_NAME= case(INST_ID=="1","test1",INST_ID=="2","test2") |where like (V_INST_NAME,"%")
| timechart span=10m first(SESSIONS_COUNT) as sessions_count by INST_ID
| rename 1 as "Session Count for test1" 2 as "Session Count for test2"
| filldown ]

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@swetar, If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please provide the searches for the graphs and we can try to help you merge them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...