Dashboards & Visualizations

Multiple Data Sources for one panel in Dashboard Studio

darkins
Engager

 

Using dashboard studio i have my data source for one panel then a chained datasource for another panel. The first panel is a barchart of counts by day, the second is a moving average. Trying to overlay the moving average on top of the barchart. Have done this in classic using overlays, but in studio dont know how to reference the chained datasource results in the first panel. For example my bar chart visualization code looks like this. In overlay fields i tried to explicitly reference the data source name but doesnt seem to work.

i know both queries/data sources are working as my base search works and my chained search works when show in separate panels.

{
"type": "splunk.column",
"dataSources": {
"primary": "ds_C2wKdHsA"
},
"title": "Per Day Count",
"options": {
"y": "> primary | frameBySeriesNames('NULL','_span','_spandays')",
"legendTruncation": "ellipsisOff",
"legendDisplay": "off",
"xAxisTitleVisibility": "hide",
"xAxisLabelRotation": -45,
"yAxisTitleVisibility": "hide",
"overlayFields": "$chaineddatasource_ByDayMA:result.gpsreHaltedJobsMA$",
"axisY2.enabled": true,
"dataValuesDisplay": "all"
},
"showProgressBar": false,
"showLastUpdated": false,
"context": {}
}
Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| timechart span=1d count(B) by B
| addtotals fieldname=count
| streamstats time_window=30d avg(count) as A
| eval A=round(A,0)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The overlay field has to be a field from the search, so you will have to combine the daily count and the moving average into a single data source.

0 Karma

darkins
Engager

not sure i can do that

using a base query and then a chained query

panel a gives me MA line

| timechart count span=1d | streamstats time_window=30d avg(count) as A | eval A=round(A,0)

 

Panel B gives me count by day bar

| timechart span=1d count(B) by B

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| timechart span=1d count(B) by B
| addtotals fieldname=count
| streamstats time_window=30d avg(count) as A
| eval A=round(A,0)
0 Karma

darkins
Engager

WINNER WINNER!

Thank you very much!

 

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...