Dashboards & Visualizations

Is there some way to put all three stats commands in the same search, and maybe the trellis can get each calculation?

eholz1
Contributor

Hello all,

I have three individual searches for a single value viz. the value for each viz is a sum of a field.

I have bytes, bytes_in, and bytes_out. Each search is | stats sum(bytes) as Total, sum(bytes_in) as In, and sum(bytes_out) as Out

So 3 searches for each field, and a single value viz for each field. I have looked at the trellis viz, but it is not much help. My actual spl is using the same formula for each field: index=squid
| stats sum(bytes_in) as TotalBytes
| eval gigabytes=TotalBytes/1024/1024/1024
| rename gigabytes as "Bytes In"
| table "Bytes In"

Is there some way to put all three stats commands in the same search, and maybe the trellis can get each calculation? I looked at trying to put  each single value in a table 3 column by one row, etc

How can this be accomplished.

Thanks again,

eholz1

Labels (1)
Tags (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @eholz1 

Here's an example of how to do it...

| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
``` ignore above - just creating dummy events ```
| stats sum(bytes) as Total
sum(bytes_in) as In
sum(bytes_out) as Out
| foreach Total In Out [ eval <<FIELD>>_gb=('<<FIELD>>'/1024/1024/1024) ]
| fields *gb

yeahnah_0-1678998857862.png

Hope it helps

View solution in original post

Tags (1)

yeahnah
Motivator

Hi @eholz1 

Here's an example of how to do it...

| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
``` ignore above - just creating dummy events ```
| stats sum(bytes) as Total
sum(bytes_in) as In
sum(bytes_out) as Out
| foreach Total In Out [ eval <<FIELD>>_gb=('<<FIELD>>'/1024/1024/1024) ]
| fields *gb

yeahnah_0-1678998857862.png

Hope it helps

Tags (1)

eholz1
Contributor

One more queston, this works great. Is there a way I can set a static color based on the "title" of the trellis viz?

i.e.  In_gb is green, Out_gb is blue, etc.

Thanks again for an excellent solution.

I would like to have a different color for each result (in block mode)

 

thanks again,

eholz1

0 Karma

yeahnah
Motivator

I don't believe so, not by any standard means, at least (custom javascript anyone?).  The use of colors is based on the values only.

If you want something like that then I suggest just using single values panels side by side, like this example.

yeahnah_0-1679007640606.png


here's the run anywhere dashboard code for the example above

<dashboard>
  <label>sv panel colored</label>
  <search id="base_search">
    <query>| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
| stats sum(bytes) as Total
        sum(bytes_in) as In
        sum(bytes_out) as Out
| foreach Total In Out [ eval &lt;&lt;FIELD&gt;&gt;_gb=('&lt;&lt;FIELD&gt;&gt;'/1024/1024/1024) ]
| fields *gb
    </query>
    <earliest>-15m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <html>
        <style>
        #trellis {
          width:40% !important;
        }
        #sv_panel1, #sv_panel2, #sv_panel3 {
          width:20% !important;
        }
       </style>
     </html>
    </panel>
  </row>
  <row>
    <panel id="trellis">
      <title>trellis</title>
      <single>
        <search base="base_search">
          <query/>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel1">
      <single>
        <title>In_gb</title>
        <search base="base_search">
          <query>fields In_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel2">
      <single>
        <title>Out_gb</title>
        <search base="base_search">
          <query>fields Out_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x006d9c","0x006d9c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel3">
      <single>
        <title>Total_gb</title>
        <search base="base_search">
          <query>fields Total_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xf8be34","0xf8be34"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</dashboard>

  

eholz1
Contributor

Wow, Thanks again for the input. I appreciate it.

I will review, and figure out what would be nice to use.

thanks for taking the time to do this.

eholz1

0 Karma

eholz1
Contributor

Wow thanks for fast reply, I will try it out,

thanks again,

 

eholz1

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Spunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...