Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I want to use tokens to pass value from one dashboard panel to another panel of the same dashboard

nkankur
Path Finder
‎11-13-2017 09:19 AM

I have two long search queries which forms two panels of my dashboard and I want to use final values from both of them for my third panel and I don't want to run those two long queries again in my final search. I just want to use those final results in my final query as tokens. How can I do that?

for example

query 1

..| stats sum(value1) as "Total Bill"

query 2

..| eval value2=(some operation)| rename value2 as "Expected Bill"

query 3

eval Saving= (($Token1$-$Token2$)/$Token1$)

Thanks in Advance!

0 Karma
Reply

elliotproebstel
Champion
‎11-13-2017 09:41 AM

Absolutely, this is pretty easy to do by editing the simpleXML of your dashboard. First, you'll need to add the syntax that sets the tokens. Inside the <search>...</search> sections for your first two panels, you'll add some code to set the tokens. Inside the first:

<done>
  <set token="Token1">$result.Total Bill$</set>
</done>

And inside the second:

<done>
  <set token="Token2">$result.Expected Bill$</set>
</done>

Then your third panel can simply use the syntax you already posted:

eval Saving= (($Token1$-$Token2$)/$Token1$)

EDIT: Sorry, it doesn't seem to like when I use the <pre><code> syntax, so I edited this in the hopes it will now properly display my answer.

Reply

nkankur
Path Finder
‎11-14-2017 03:33 AM

I used the above code but my result panel is not showing any data.
It is showing-

No results found.

0 Karma
Reply

niketn
Legend
‎11-14-2017 12:40 PM

Following is a run anywhere dashboard. Please change the Search queries for Panel 1 and Panel 2 as per your need as the current one are based on Splunk's _internal index, which are used to mock data.

<form>
  <label>Pass Token from Two Panels to Third</label>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd
|  stats sum(date_minute) as "Total Bill"</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="Token1">0</set>
            </condition>
            <condition>
              <set token="Token1">$result.Total Bill$</set>
            </condition>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Total</option>
        <option name="unit">$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd
|  stats sum(date_hour) as "Expected Bill"</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="Token2">0</set>
            </condition>
            <condition>
              <set token="Token2">$result.Expected Bill$</set>
            </condition>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Expected</option>
        <option name="unit">$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Token1: $Token1$ - Token2: $Token2$</title>
      <single>
        <search>
          <query>| makeresults
|  eval Saving=($Token1$-$Token2$)/$Token1$
|  table Saving</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.0000</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Savings</option>
        <option name="unit">$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</form>

PS: I noticed in query 2 you have used following syntax: | eval value2=(some operation)| rename value2 as "Expected Bill". Instead you can try | eval "Expected Bill"=(some operation)

I have printed Token1 and Token2 values in Third panel for testing whether they are getting set as expected or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

nkankur
Path Finder
‎11-14-2017 03:33 AM

I used the above code but my result panel is not showing any data.
It is showing-

No results found.

0 Karma
Reply

niketn
Legend
‎11-13-2017 09:54 AM

@elliotproebstel, you beat me to it.

@nkankur, You can do it by coding <done> or <progress> search event handler that can access $result.<YourFieldName>$ default token.

For Panel 1 following is the Search Event Handler:

      <done>
        <condition match="$job.resultCount$==0">
          <set token="Token1">0</set>
        </condition>
        <condition>
          <set token="Token1">$result.Total Bill$</set>
        </condition>
      </done>

The Search Event Handler for Panel 2 on similar lines:

      <done>
        <condition match="$job.resultCount$==0">
          <set token="Token2">0</set>
        </condition>
        <condition>
          <set token="Token2">$result.Expected Bill$</set>
        </condition>
      </done>

Finally, your 3rd panel code would look like the following:

| makeresults
|  eval Saving=($Token1$-$Token2$)/$Token1$
|  table Saving

I hope you are using Single Value visualizations. If you want to handle No Results Found scenario it will be slightly different however, on similar lines.

[UPDATED] Token2 was called Token1 in second code block. Corrected the same. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

nkankur
Path Finder
‎11-14-2017 03:34 AM

yes I am using single value visualization.

0 Karma
Reply

nkankur
Path Finder
‎11-14-2017 03:33 AM

I used the above code but my result panel is not showing any data.
It is showing-

No results found.

0 Karma
Reply

elliotproebstel
Champion
‎11-14-2017 10:20 AM

Are the other two panels displaying the expected results? If so, try changing the third panel's search query to this:
| makeresults | eval t1=$Token1$, t2=$Token2$ | fields t1 t2

Does t1 match the result from the first panel, and does t2 match the result from the second panel?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...