Dashboards & Visualizations

Is it possible to use tokens to alternate the display of different timecharts/tables, in the same dashboard, in real-time?

marvinlee93
Explorer

Hi all,

I would like to flip time charts/tables in the same Dashboard using tokens without manual refresh. (Eg, Change timechart every 5 seconds)

I am interested to know if it is possible to ALTERNATE the display of different TIMECHARTS/TABLES in the same dashboard in Real-Time.
So then, I could display different information at different time intervals using the SAME dashboard and amount of SPACE.

I was thinking of making use of tokens. With a smarter use of tokens, we could set a timer and conditions such that a different 'set of timecharts' would appear at different time intervals? Is that doable?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@marvinlee93 ,

Have a look at the following example and see if it suits your requirement. Its a run anywhere example

Here I switch between two panels based on time (Seconds). If the second(sec) is greater than 30, a table is displayed , otherwise a pie chart. The dashboard is refreshed in every 10 secs

<dashboard refresh="10">
  <label>Time Dependent Dashboards</label>
  <row>
    <panel depends="$IamSupposedToBeHiddenAlways$">
      <table>
        <!-- This is a dummy search to extract time (seconds in this case) -->
        <search>
          <query>|makeresults|eval sec=strftime(_time,"%S")</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
             <!--set the tokens based on the value of sec -->
            <condition match="$result.sec$ > 30">
              <set token="show_table">true</set>
              <set token="current_sec">$result.sec$</set>
              <unset token="show_pie"></unset>
            </condition>
            <condition>
              <set token="show_pie">true</set>
              <unset token="show_table"></unset>
              <set token="current_sec">$result.sec$</set>              
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_table$">
      <title>Second is  = $current_sec$</title>
      <table>
        <search>
          <query>|makeresults count=5|eval data="Table displays dummy data if the second is greater than 30"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_pie$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@marvinlee93 ,

Have a look at the following example and see if it suits your requirement. Its a run anywhere example

Here I switch between two panels based on time (Seconds). If the second(sec) is greater than 30, a table is displayed , otherwise a pie chart. The dashboard is refreshed in every 10 secs

<dashboard refresh="10">
  <label>Time Dependent Dashboards</label>
  <row>
    <panel depends="$IamSupposedToBeHiddenAlways$">
      <table>
        <!-- This is a dummy search to extract time (seconds in this case) -->
        <search>
          <query>|makeresults|eval sec=strftime(_time,"%S")</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
             <!--set the tokens based on the value of sec -->
            <condition match="$result.sec$ > 30">
              <set token="show_table">true</set>
              <set token="current_sec">$result.sec$</set>
              <unset token="show_pie"></unset>
            </condition>
            <condition>
              <set token="show_pie">true</set>
              <unset token="show_table"></unset>
              <set token="current_sec">$result.sec$</set>              
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_table$">
      <title>Second is  = $current_sec$</title>
      <table>
        <search>
          <query>|makeresults count=5|eval data="Table displays dummy data if the second is greater than 30"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_pie$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>
Happy Splunking!
0 Karma

marvinlee93
Explorer

Hi, I have 3 charts. Let's say i want to display all 3 at the intervals of 20seconds.

              <!--set the tokens based on the value of sec -->
             <condition match="$result.sec$ > 20">
               <set token="Dataset1">true</set>
               <set token="current_sec">$result.sec$</set>
               <unset token="Dataset2"></unset>
               <unset token="Dataset3"></unset>
             </condition>
             <condition match="$result.sec$ > 40">
               <set token="Dataset2">true</set>
               <unset token="Dataset1"></unset>
               <unset token="Dataset3"></unset>
               <set token="current_sec">$result.sec$</set>   
             <condition>
               <set token="Dataset3">true</set>
               <unset token="Dataset1"></unset>
               <unset token="Dataset2"></unset>
               <set token="current_sec">$result.sec$</set>   

This is my code. But it is giving me an error.

Also, I'm new to this. What's the difference between and ?

Let's say I wanna do it at a intervals of 1min for each chart. How would you change the timer?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@marvinlee93 ,

ok, try this. Just copy paste this to a new dashboard and see if it works. I have set the dashboard refresh in every 20 minutes so that each refresh displays different panel.

<dashboard refresh="20">
  <label>Time Dependent Dashboards</label>
  <row>
    <panel depends="$IamSupposedToBeHiddenAlways$">
      <table>
        <search>
          <query>|makeresults|eval sec=strftime(_time,"%S")</query>
          <earliest>-1s@s</earliest>
          <latest>now</latest>
          <done>
            <!--set the tokens based on the value of sec -->
            <condition match="$result.sec$ &lt; 20">
              <set token="Dataset1">true</set>
              <set token="current_sec">$result.sec$</set>
              <unset token="Dataset2"></unset>
              <unset token="Dataset3"></unset>
            </condition>
            <condition match="$result.sec$ >= 20 AND $result.sec$ &lt; 40">
              <set token="Dataset2">true</set>
              <unset token="Dataset1"></unset>
              <unset token="Dataset3"></unset>
              <set token="current_sec">$result.sec$</set>
            </condition>
            <condition match="$result.sec$ >= 40">
              <set token="Dataset3">true</set>
              <unset token="Dataset1"></unset>
              <unset token="Dataset2"></unset>
              <set token="current_sec">$result.sec$</set>
            </condition>            
          </done>
        </search>
        <!-- This is a dummy search to extract time (seconds in this case) -->
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$Dataset1$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|timechart count by sourcetype</query>
          <earliest>-1m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel depends="$Dataset2$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel  depends="$Dataset3$">
      <title>Second is  = $current_sec$</title>
      <chart>
        <search>
          <query>index=_*|chart count over index by sourcetype</query>
          <earliest>-1m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...