Solved: Re: Pass Count from Multiple Panels to a Single Va...

mcg_connor · ‎08-09-2019

I'm trying to create a single value panel that shows the total count of results in panels on the dashboard. So say if Panel number 3 , 5 and 8 on the dashboard are showing results the single value panel at the top would say 3.

Thanks for any help!

renjith_nair · ‎08-10-2019

@mcg_connor ,

You may try with search event tokens.

Here is a run anywhere example

Check each panels result count and if it's greater than 0 set the respective token to 1 , otherwise 0
Run a dummy search and add(+) these token values for the single value panel

In case you want to show the total count of the results, you may set the token to $job.resultCount$

<dashboard>
  <label>Single Panal Values</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <condition match="'job.resultCount' > 0">
              <set token="first_panel_count">1</set>
            </condition>
            <condition>
              <set token="first_panel_count">0</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>index=_audit |stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <condition match="'job.resultCount' > 0">
              <set token="second_panel_count">1</set>
            </condition>
            <condition>
              <set token="second_panel_count">0</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>index=_introspection |stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <condition match="'job.resultCount' > 0">
              <set token="third_panel_count">1</set>
            </condition>
            <condition>
              <set token="third_panel_count">0</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>|makeresults|eval result=$first_panel_count$+$second_panel_count$+$third_panel_count$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</dashboard>

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

woodcock · ‎08-16-2019

Set a default value for panel_count of 0
then put a done clause in each panel with this in it <eval token="panel_count">$panel_count$ + 1</eval>.

renjith_nair · ‎08-10-2019

@mcg_connor ,

You may try with search event tokens.

Here is a run anywhere example

Check each panels result count and if it's greater than 0 set the respective token to 1 , otherwise 0
Run a dummy search and add(+) these token values for the single value panel

In case you want to show the total count of the results, you may set the token to $job.resultCount$

<dashboard>
  <label>Single Panal Values</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal |stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <condition match="'job.resultCount' > 0">
              <set token="first_panel_count">1</set>
            </condition>
            <condition>
              <set token="first_panel_count">0</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>index=_audit |stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <condition match="'job.resultCount' > 0">
              <set token="second_panel_count">1</set>
            </condition>
            <condition>
              <set token="second_panel_count">0</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <table>
        <search>
          <query>index=_introspection |stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <condition match="'job.resultCount' > 0">
              <set token="third_panel_count">1</set>
            </condition>
            <condition>
              <set token="third_panel_count">0</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>|makeresults|eval result=$first_panel_count$+$second_panel_count$+$third_panel_count$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</dashboard>

---
What goes around comes around. If it helps, hit it with Karma 🙂

Pass Count from Multiple Panels to a Single Value Panel

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation