Dashboards & Visualizations

How to populate the counts in 2 panels based on the selection from a drop-down menu?

guillecasco
Path Finder

I have two panels in a dashboard and I would like that the number of counts adjust to the drop-down menu.

The two panels are:

event        count                       
success      8                                   
error        7                                   
N/I          10
....         .....

Type error    count
00001         7
00002         12
........      .......

In all logs, there is a field named: CLIENT_ID (only 4 kinds of that client). Is there a way to include a drop-down menu with the 4 kinds of clients, and depending which one I choose, filter counts of both panels? I read something related to the token in the drop-down menu and also putting $$ in the XML code. How can I do this? Should the search of both panels need to have the client id somewhere? I don't want client id in panels, just the 2 columns I have now.

0 Karma

sundareshr
Legend

Here's what you need

  1. Drop-down with client list generated dynamically. You can achieve this somewhat like this

    <input type="dropdown" token="tokClient" searchWhenChanged="true">
          <label>Select client</label>
          <search>
            <query>index=* | stats count  by client_id</query>
            <earliest>@d</earliest>
            <latest>now</latest>
          </search>
          <fieldForLabel>client_id</fieldForLabel>
          <fieldForValue>client_id</fieldForValue>
    </input>
    

    OR
    You can hard-code the list of client_id in your drop-down, like this

        <input type="dropdown" token="tokCLient" searchWhenChanged="true">
          <label>Select client</label>
          <choice value="One">One</choice>
          <choice value="Two">Two</choice>
          <choice value="Three">Three</choice>
        </input>    
    

    Create your dashboard panels using the tokClient in your search. Like this

    <table>
    
                <search>
                  <query>index=* client_id=$tokClient$ | table _time client_id</query>
                </search>
    

    http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Buildandeditforms

0 Karma

guillecasco
Path Finder

Ok, but how am I supposed to add:

index=* client_id=$tokClient$ | table _time client_id  

to both searches of the 2 panels? They don't have any client ID. Here are the 2 searches of both panels.

PANEL 1

index="index1" | stats count by name  

PANEL 2

index="index1" ERRORS | stats count by errorCode |sort -num(count)|   
0 Karma

sundareshr
Legend

Thought you said "In all logs, there is a field named: CLIENT_ID "?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...