Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Populating second panel based on results of the first panel

adamantium7706
Explorer
‎07-11-2023 10:48 AM

I am trying to create a second panel based on the results of the first panel.

There are 3 columns which have different values (including null) based on which the second panel needs to be populated.

Have created 3 different tokens to store the results of each column.

Here is how the first panel looks:
ID         Name         Col1         Col2         Col3
111      ABC             null           null         Value1
123      DEF             Value2     null          null
456      GHI              Value3     null          null 
789      JKL              null            null         Value4

The second panel should be able to process the results from Col1, Col2 and Col3 and populate related IDs based on the columns values while ignoring the null values.

 

index=* sourcetype=source Col1="$C1" OR Col2="$C2$" OR Col3="$C3$" 
| fields + ID, Name 
| stats count by ID, Name

 

Currently it just searches with just the first value(Value1) and gives results based on that but I need it to search through all the values (skipping null) and display the IDs corresponding to the values.
Can someone help me with this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andrew_nelson
Communicator
‎07-12-2023 04:58 AM

You can try  add this to your panel 1 query: 
It'll group all the values found in your search into each row, so that even when the results token takes the top row, it'll have all values and make them into a string you can use. 

The foreach section will surround each value in quotes, just in case there are spaces in your data. 

 

...
| eventstats values(Col1) as Col1_tok values(Col2) as Col2_tok values(Col3) as Col3_tok
| foreach *_tok
[ eval <<FIELD>>=mvjoin(<<FIELD>>, "\",\""), <<FIELD>>="\"".<<FIELD>>."\""]

 

 

You can use 

$results.Col1_tok$ etc in place of $results.Col1$ in Rich's answer. 

Then to keep the panel clean, you can specify the fields it will display using the below line in the XML alongside the <options> data in the panel. : 
<fields>["ID", "Name", "Col1", "Col2", "Col3"]</fields>

Your second panel will need to be adapted for the new format. 

 

index=* sourcetype=source Col1="$C1" OR Col2="$C2$" OR Col3="$C3$"

 

becomes 

 

index=* sourcetype=source Col1 IN ($C1) OR Col2 IN ($C2$) OR Col3 IN ($C3$)

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-11-2023 01:07 PM

To pass results from one panel to another, use a <done> element after the query in the first panel to set tokens  Then reference the tokens in the second panel.

...
<panel>
  <title>Panel 1</title>
  <search>
    <query>...</query>
    <done>
      <set token="C1">$results.Col1$</set>
      <set token="C2">$results.Col2$</set>
      <set token="C3">$results.Col3$</set>
    </done>
  </search>
</panel>
<panel>
  <title>Panel 2</title>
  <search>
    <query>index=* sourcetype=source Col1="$C1$" OR Col2="$C2$" OR Col3="$C3$" 
| fields + ID, Name 
| stats count by ID, Name</query>
  </search>
</panel>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

adamantium7706
Explorer
‎07-12-2023 03:23 AM

Thanks for the reply.

I have already implemented this. The issue is, it just searches for the first value it gets and doesn't search for the remaining values.

I want it to search through all the values(excluding null) and display results based on that.

0 Karma
Reply
Solved! Jump to solution
Solution

andrew_nelson
Communicator
‎07-12-2023 04:58 AM

You can try  add this to your panel 1 query: 
It'll group all the values found in your search into each row, so that even when the results token takes the top row, it'll have all values and make them into a string you can use. 

The foreach section will surround each value in quotes, just in case there are spaces in your data. 

 

...
| eventstats values(Col1) as Col1_tok values(Col2) as Col2_tok values(Col3) as Col3_tok
| foreach *_tok
[ eval <<FIELD>>=mvjoin(<<FIELD>>, "\",\""), <<FIELD>>="\"".<<FIELD>>."\""]

 

 

You can use 

$results.Col1_tok$ etc in place of $results.Col1$ in Rich's answer. 

Then to keep the panel clean, you can specify the fields it will display using the below line in the XML alongside the <options> data in the panel. : 
<fields>["ID", "Name", "Col1", "Col2", "Col3"]</fields>

Your second panel will need to be adapted for the new format. 

 

index=* sourcetype=source Col1="$C1" OR Col2="$C2$" OR Col3="$C3$"

 

becomes 

 

index=* sourcetype=source Col1 IN ($C1) OR Col2 IN ($C2$) OR Col3 IN ($C3$)

 

Reply
Solved! Jump to solution

adamantium7706
Explorer
‎07-12-2023 09:18 AM

Thank you so much. This resolved the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...