Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing Token values to Overlay field in the line chart

sanjai
Path Finder
‎04-21-2024 11:02 PM

Hi Splunkers,

I am working on creating a column line chart dashboard that shows database lattency . I'm encountering a issue where I'm trying to pass a token value to overlay options for line chart representation over a column chart. Here are things currently i have,

My Chart and My SPL query:

sanjai_0-1713765156076.png

 

SPL:

index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=*
| eval ds_file_path=ds_path."\\".ds_file
| chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine
| appendcols
[search index=development sourcetype=rwa_custom_function user_action=swmfs_test ds_file=*
| eval ds_file_path=ds_path."\\".ds_file
| stats max(block_count) as total_blocks by ds_file_path]


sanjai_1-1713765156659.png

I need to assign the overlay field value(avg_processing_time_per_block )from the line in SPL:


| chart avg(ms_per_block) as avg_processing_time_per_block over ds_file_path by machine

The reason I'm attempting to assign it as a token is that the avg_processing_time_per_block has dynamic values (sometimes it may be 10 or 12 machines data ).instead of rwmini and rwws01.

Column has total_blocks value  

Or is there any ways to achieve this requirement?

Your thoughts on these are highly appreciated. Thank you in advance.

Sanjai

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2024 12:56 AM

You could have a separate (hidden) panel which generates the value of the token that you use to set the overlay fields for this  panel

0 Karma
Reply

sanjai
Path Finder
‎04-22-2024 01:10 AM

Hi @ITWhisperer 
Thanks for reply ,

I understand ,
But correct me if i'm wrong

1.If i have a seperate hidden panel that gives my token value (avg_processing_time_per_block )

2.Then how can i assign the token $avg_processing_time_per_block$ value to overlay Fields

like these?
<option name="charting.chart.overlayFields">$avg_processing_time_per_block$ </option>

or 
<option name="charting.chart.overlayFields">avg_processing_time_per_block </option>

if i gives these a token then line chart have a single line named avg_processing_time_per_block but the requirement is the avg_processing_time_per_block has dynamic value 

My need is to how to assign the avg_processing_time_per_block value as token in  charting.chart.overlayFields

thanks,

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-22-2024 01:24 AM

As you are probably aware, the list of overlay fields is a comma-separated list of field name, so that's what you need in your token. You could try something like this

| stats values(machine) as avg_processing_time_per_block
| eval avg_processing_time_per_block=mvjoin(avg_processing_time_per_block,",")

You would then set your token on the done block of the search, using this field from the (first) results row and use it in your display panel settings

<option name="charting.chart.overlayFields">$avg_processing_time_per_block$ </option>

 

Reply

sanjai
Path Finder
‎04-25-2024 12:24 AM

Thanks @ITWhisperer  , it worked 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...