Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there some way to put all three stats commands in the same search, and maybe the trellis can get each calculation?

eholz1
Builder
‎03-16-2023 01:18 PM

Hello all,

I have three individual searches for a single value viz. the value for each viz is a sum of a field.

I have bytes, bytes_in, and bytes_out. Each search is | stats sum(bytes) as Total, sum(bytes_in) as In, and sum(bytes_out) as Out

So 3 searches for each field, and a single value viz for each field. I have looked at the trellis viz, but it is not much help. My actual spl is using the same formula for each field: index=squid
| stats sum(bytes_in) as TotalBytes
| eval gigabytes=TotalBytes/1024/1024/1024
| rename gigabytes as "Bytes In"
| table "Bytes In"

Is there some way to put all three stats commands in the same search, and maybe the trellis can get each calculation? I looked at trying to put  each single value in a table 3 column by one row, etc

How can this be accomplished.

Thanks again,

eholz1

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎03-16-2023 01:34 PM

Hi @eholz1 

Here's an example of how to do it...

| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
``` ignore above - just creating dummy events ```
| stats sum(bytes) as Total
        sum(bytes_in) as In
        sum(bytes_out) as Out
| foreach Total In Out [ eval <<FIELD>>_gb=('<<FIELD>>'/1024/1024/1024) ]
| fields *gb

yeahnah_0-1678998857862.png

Hope it helps

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎03-16-2023 01:34 PM

Hi @eholz1 

Here's an example of how to do it...

| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
``` ignore above - just creating dummy events ```
| stats sum(bytes) as Total
        sum(bytes_in) as In
        sum(bytes_out) as Out
| foreach Total In Out [ eval <<FIELD>>_gb=('<<FIELD>>'/1024/1024/1024) ]
| fields *gb

yeahnah_0-1678998857862.png

Hope it helps

Tags (1)
Reply
Solved! Jump to solution

eholz1
Builder
‎03-16-2023 03:19 PM

One more queston, this works great. Is there a way I can set a static color based on the "title" of the trellis viz?

i.e.  In_gb is green, Out_gb is blue, etc.

Thanks again for an excellent solution.

I would like to have a different color for each result (in block mode)

 

thanks again,

eholz1

0 Karma
Reply
Solved! Jump to solution

yeahnah
Motivator
‎03-16-2023 04:01 PM

I don't believe so, not by any standard means, at least (custom javascript anyone?).  The use of colors is based on the values only.

If you want something like that then I suggest just using single values panels side by side, like this example.

yeahnah_0-1679007640606.png


here's the run anywhere dashboard code for the example above

<dashboard>
  <label>sv panel colored</label>
  <search id="base_search">
    <query>| makeresults
| eval _raw="bytes, bytes_in, bytes_out
9999999999, 5555555555, 4444444444
9999999999, 4444444444, 5555555555"
| multikv forceheader=1
| stats sum(bytes) as Total
        sum(bytes_in) as In
        sum(bytes_out) as Out
| foreach Total In Out [ eval &lt;&lt;FIELD&gt;&gt;_gb=('&lt;&lt;FIELD&gt;&gt;'/1024/1024/1024) ]
| fields *gb
    </query>
    <earliest>-15m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <html>
        <style>
        #trellis {
          width:40% !important;
        }
        #sv_panel1, #sv_panel2, #sv_panel3 {
          width:20% !important;
        }
       </style>
     </html>
    </panel>
  </row>
  <row>
    <panel id="trellis">
      <title>trellis</title>
      <single>
        <search base="base_search">
          <query/>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel1">
      <single>
        <title>In_gb</title>
        <search base="base_search">
          <query>fields In_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x53a051"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel2">
      <single>
        <title>Out_gb</title>
        <search base="base_search">
          <query>fields Out_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x006d9c","0x006d9c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel id="sv_panel3">
      <single>
        <title>Total_gb</title>
        <search base="base_search">
          <query>fields Total_gb</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xf8be34","0xf8be34"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</dashboard>

  

Reply
Solved! Jump to solution

eholz1
Builder
‎03-17-2023 09:41 AM

Wow, Thanks again for the input. I appreciate it.

I will review, and figure out what would be nice to use.

thanks for taking the time to do this.

eholz1

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎03-16-2023 01:52 PM

Wow thanks for fast reply, I will try it out,

thanks again,

 

eholz1

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...