Dashboards & Visualizations

How to put items in one single row with the total number of their count under “count”?

charlesukah22
Explorer

Hi Guys,  (Please see attached file for better understanding)

I need help adjusting my query to show the below results:

I want to put all the (software, brand and product) in one single row with the total number of their count under “count”

 Example, instead of having multiple Mac, Window etc… we should just have  one row with the total count

 

Current table

Software Brand Product Number of count
Mac Apple MTBNUYE2V0 1
Mac Apple MTBNUYE2V1 1
Mac Apple MTBNUYE2V2 1
Mac Apple MTBNUYE2V3 1
Mac Apple MTBNUYE2V4 1
Mac Apple MTBNUYE2V5 1
Mac Apple MTBNUYE2V6 1
Mac Apple MTBNUYE2V7 1
Mac Apple MTBNUYE2V8 1
Mac Apple MTBNUYE2V9 1
Mac Apple MTBNUYE2V10 1
Mac Apple Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2
Window Win.x Youbest 2

 

Example of expected result:

Software

Brand

Version

Number of count

Mac

Apple

20.20.20

 200

Windows

Win.x

30.90.09

320

 Data is from: index=product sourcetype=my_product

 

  1. Then when we click on the Number of count it should open in a new page showing all the details of the software (example of what details we should see are IP, NAME, HOSTNAME) 

 Data is from: |inputlookup product

Labels (3)
0 Karma
1 Solution

charlesukah22
Explorer

Thank you ,

Thank was very useful and helpful

View solution in original post

Tags (3)
0 Karma

gcusello
Legend

Hi @charlesukah22,

the main search should be something like this:

index=product sourcetype=my_product
| stats count BY Software Brand Version

then you should have a drilldown opening a new dashboard with your table passing the tokens from the click:

this is an example from the Splunk dashboard examples App (https://splunkbase.splunk.com/app/1603/) that I hint to install:

<dashboard>
  <label>Drilldown Link to Dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>
               index=product sourcetype=my_product
               | stats count BY Software Brand Version
          </query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="count">10</option>
        <drilldown>
          <link target="_blank">/app/your_app/secondary_dashboard?software=$row.Software$&amp;brand=$row.Brand$&amp;version=$row.Version$</link>
        </drilldown>
      </table>
</dashboard>

then in the secondary_dashboard, you have to use a search like this:

index=product sourcetype=my_product Software=$software$ Brand=$brand$ Version=$version$
| table Software Brand Version Product

  Ciao.

Giuseppe

0 Karma

charlesukah22
Explorer

Thank you ,

Thank was very useful and helpful

View solution in original post

Tags (3)
0 Karma

gcusello
Legend

Hi @charlesukah22,

good!

for the other people of Community, please accept the answer.

Ciao and next time!

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
Legend

Hi @charlesukah22,

you didn't accepted the solution, but your post!

Ciao and next time.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

charlesukah22
Explorer

So sorry,

Didn't know where to accept it.

The answer cleared my issues. Thank you

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!