Dashboards & Visualizations

Placing two search results in single panel of dashboard

srajanbabu
Explorer

I have two different panels of dashboard as the following

<dashboard>
  <label>xmlcheck</label>
  <row>
    <table>
        <searchString><![CDATA[source="FTPLOG.log" "Customer has successfully retrieved file"
             | rex "::\s(?<timestamp>\S+)\s"| rex "^\S+\s(?<userid>\S+)\." 
             | rex "\s(?<file_name>\S+)\s\((?<record_count>\d+)\srecords/(?<byte_count>\d+)\sbytes\)$"
             | stats count as FileCount list(file_name) as FileName sum(record_count) as RecordCount sum(byte_count) as ByteCount by timestamp userid 
             | where RecordCount !=0 AND ByteCount !=0]]>
         </searchString>
      </table>
  </row>
  <row>
    <table>
        <searchString><![CDATA[source="FTPLOG.log"| rex "^\S+\s(?<userid>\w+\.[0-9a-zA-Z]{4})" 
                | stats distinct_count(userid)]]>
        </searchString>
      </table>
  </row>
</dashboard>

I want to display these two search results in same single panel of a dashboard.
Can anyone help me on this.

Tags (1)
0 Karma
1 Solution

melting
Splunk Employee
Splunk Employee

There is a concept of Row Grouping in simplexml. Here is an example of a row with one panel which has two visualizations in it.

<dashboard>
  <row grouping="2">
    <table>
      ...
    </table>
    <table>
      ...
    </table>
  </row>
</dashboard>

There is more details in the docs here: http://docs.splunk.com/Documentation/Splunk/6.0/Viz/PanelreferenceforSimplifiedXML#row

Also you can check out the Splunk 6 Dashboard Examples App

View solution in original post

melting
Splunk Employee
Splunk Employee

There is a concept of Row Grouping in simplexml. Here is an example of a row with one panel which has two visualizations in it.

<dashboard>
  <row grouping="2">
    <table>
      ...
    </table>
    <table>
      ...
    </table>
  </row>
</dashboard>

There is more details in the docs here: http://docs.splunk.com/Documentation/Splunk/6.0/Viz/PanelreferenceforSimplifiedXML#row

Also you can check out the Splunk 6 Dashboard Examples App

srajanbabu
Explorer

This is really working ,I could get two search results in single panel.Thanks a lot.

0 Karma

anjafischer
Path Finder

Couldn't you just put both tags into the same tag?
Then the structure would be

<dashboard>
<label>xmlcheck</label>
<row>
<searchstring>your first search</searchstring>
<searchstring>your second search</searchstring>
</row>
</dashboard>

If that doesn't work you might have to use Advanced XML instead. Check out this thread.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...