Solved: Re: One single Row

charlesukah22 · ‎08-02-2020

Hi Guys, (Please see attached file for better understanding)

I need help adjusting my query to show the below results:

I want to put all the (software, brand and product) in one single row with the total number of their count under “count”

Example, instead of having multiple Mac, Window etc… we should just have one row with the total count

Current table

Software	Brand	Product	Number of count
Mac	Apple	MTBNUYE2V0	1
Mac	Apple	MTBNUYE2V1	1
Mac	Apple	MTBNUYE2V2	1
Mac	Apple	MTBNUYE2V3	1
Mac	Apple	MTBNUYE2V4	1
Mac	Apple	MTBNUYE2V5	1
Mac	Apple	MTBNUYE2V6	1
Mac	Apple	MTBNUYE2V7	1
Mac	Apple	MTBNUYE2V8	1
Mac	Apple	MTBNUYE2V9	1
Mac	Apple	MTBNUYE2V10	1
Mac	Apple	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2
Window	Win.x	Youbest	2

Example of expected result:

Software	Brand	Version	Number of count
Mac	Apple	20.20.20	200
Windows	Win.x	30.90.09	320

Data is from: index=product sourcetype=my_product

Then when we click on the Number of count it should open in a new page showing all the details of the software (example of what details we should see are IP, NAME, HOSTNAME)

Data is from: |inputlookup product

charlesukah22 · ‎08-05-2020

Thank you ,

Thank was very useful and helpful

View solution in original post

gcusello · ‎08-03-2020

Hi @charlesukah22,

the main search should be something like this:

index=product sourcetype=my_product
| stats count BY Software Brand Version

then you should have a drilldown opening a new dashboard with your table passing the tokens from the click:

this is an example from the Splunk dashboard examples App (https://splunkbase.splunk.com/app/1603/) that I hint to install:

<dashboard>
  <label>Drilldown Link to Dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>
               index=product sourcetype=my_product
               | stats count BY Software Brand Version
          </query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown>
          <link target="_blank">/app/your_app/secondary_dashboard?software=$row.Software$&amp;brand=$row.Brand$&amp;version=$row.Version$</link>
        </drilldown>
      </table>
</dashboard>

then in the secondary_dashboard, you have to use a search like this:

index=product sourcetype=my_product Software=$software$ Brand=$brand$ Version=$version$
| table Software Brand Version Product

Ciao.

Giuseppe

charlesukah22 · ‎08-05-2020

Thank you ,

Thank was very useful and helpful

gcusello · ‎08-06-2020

Hi @charlesukah22,

good!

for the other people of Community, please accept the answer.

Ciao and next time!

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎08-06-2020

Hi @charlesukah22,

you didn't accepted the solution, but your post!

Ciao and next time.

Giuseppe

P.S.: Karma Points are appreciated 😉

charlesukah22 · ‎08-07-2020

So sorry,

Didn't know where to accept it.

The answer cleared my issues. Thank you

How to put items in one single row with the total number of their count under “count”?

drilldown

single value

table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!