Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pull a field from a saved report into a dashboard and display only one of the fields in a panel?

charliedgz
Path Finder
‎01-19-2017 11:35 AM

Is there a way to pull a field from a saved report into a dashboard and display only one of the fields in a panel? For instance, I have a saved search for the past 4 hours. I have 3 fields: total, avg, and valid. Let's say the numbers are 7009, 12, and 6576 respectively for example. I am trying to have different panels: One showing a gauge with the totals, one showing the average from the report, and one showing the valid number. Is there a way to pull the total from the report for one panel and avg from the report?

0 Karma
Reply

Shautea
Explorer
a month ago

Any fresh takes on this? I have the exact same conundrum..... I have 1 saved report which outputs multiple single values. And I'd like a few dashboard panels that distinctly call out those single values.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a month ago

If you have a scheduled saved search and only want to pull results from last run, use loadjob command.

If you want to run the search anew but want to use parts of its results in separate panels without rerunning whole search each time, use this search as a base search in your dashboard and select relevant fields with post-process searches in each panel.

0 Karma
Reply

Shautea
Explorer
a month ago

Thanks. I'd prefer the query to run once a month, and that stale 30d data be fetched for each relevant panel. I think you're saying that if I use a base search, I can nix the extra panel heavy lifts. But I worry that the 30 day base query lift will have to run with each dashboard load. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a month ago

OK. You can't eat a cake and have a cake. Either you run the scheduled search every now and then and then just use loadjob to fetch already existing results or you run the base search on each dashboard load.

The first approach is way faster but you end up with a stale data (from last run which might have been some time ago depending on your schedule), the second approach requires you to run the search (ok, once but still) on each dashboard load.

You might go for some "hybrid" solution by either doing some summary indexing and only querying the summarized data, not the original raw data - that should be way faster but I don't know your data so I don't know if it's easily summarizable this way. Or you might use report acceleration. These are two options worth exploring.

Reply

Shautea
Explorer
2 weeks ago

Thanks Pickle. The original poster had 4 hr recent data. My data is on user counts and some high level stats, so it's fine as a monthly pull. For others who might share my scenario, I ended up going with a lookup table. I first saved and scheduled a report to run once a month with my 20+ key values. Then on my dashboard, I used inputlookup to key in on each variable and place it where I wanted it on the dashboard.

0 Karma
Reply

Shautea
Explorer
2 weeks ago

Forgot to mention. The scheduled report has an action to output each monthly run to the noted lookup table.

0 Karma
Reply

somesoni2
Revered Legend
‎01-19-2017 01:00 PM

You would've to use the ref feature of the search element in simple xml to reference a scheduled saved search. This it'll load the last run's results to dashboard panel, if one exists, or rerun the scheduled search. See more details with example here.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Reference_a_search_from_a_report

<search ref ="[name]">
....
References the report.
0 Karma
Reply

cmerriman
Super Champion
‎01-19-2017 11:45 AM

you could use the savedsearch command followed by fields

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

|savedsearch searchname|fields total
Reply

charliedgz
Path Finder
‎01-19-2017 12:01 PM

Ok, I tried doing this, but it keeps rerunning the search ( in my case 35 million events), even if I used a fix time range. I just want to abstract, say the 7009 without having to rerun the search.

0 Karma
Reply

cmerriman
Super Champion
‎01-19-2017 12:46 PM

sorry. try loadjob
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Loadjob

|loadjob savedsearch="charliedgz:search:searchname"
0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...