I've seen various questions about comparing two events in Splunk.
This question is specifically about designing a Splunk Web dashboard user interface to enable users to select two events to compare.
My initial thoughts involve two side-by-side events list visualizations, where each events list has an associated time picker UI control:
You use the time picker for the events list on the left to narrow that events list to include one of the events you want to compare, and then you click that event. Drilldown settings for the events list would use that click to set a token, or tokens, that can be used to refer to that specific event in a search.
Same for the other event, using the time picker and its events list on the right.
However, I haven't yet got around to implementing this in practice. It occurs to me that, although I haven't found an exact duplicate question, this is likely to be a common use case—a problem already solved—so I thought I'd ask here first.
What arrangement of UI controls and visualizations in a dashboard is generally regarded as optimal for selecting two events from two different time periods, where the time periods might be arbitrarily different? For example, we're not necessarily comparing events for the same time-of-day on two different days.
Here is a run anywhere example. You may choose the visualizations suitable to represent your data .
1. Left panel displays count of sourcetype per 5 minutes - controlled via time picker assigned for the panel
2. RIght panel gets avg (count/5minutes) - controlled via time picker assigned for the panel
3. Bottom panel displays event information based on the sourcetype selected from left panel. This can be repeated for right panel as well