Dashboards & Visualizations

Single Report dashboard with multiple panels based on time range?

adsquaired
Explorer

I have created a dashboard with multiple panels with each panel based on a dedicated report.  Here's an example. This works great but there must be a better way to do this instead of having 4 reports per dashboard when the only difference between the search is the time.

 

 

<dashboard>
  <label>Packets</label>
  <row>
    <panel>
      <title>Daily</title>
      <chart>
        <search ref="Packets Daily"></search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Weekly</title>
      <chart>
        <search ref="Packets Weekly"></search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Monthly</title>
      <chart>
        <search ref="Packets Monthly"></search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Yearly</title>
      <chart>
        <search ref="Packets Yearly"></search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>

 

 

What I would prefer to do is have one single report with each panel having the correct time frame.  I do not want a time picker displayed on the dashboard.

I tried using earliest and latest syntax in each search section of the xml but the time is inherited from the

report. 

Thanks in advance.

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

You can have a single daily packet report which is given a search id and then in the weekly/monthly/yearly you can just reference the daily report and post process calculate the appropriate periods with whatever aggregation you need.

Let's assume your daily packets search looks like this

my_packet_search
| timechart span=1d count 

then your dashboard would look like this

<dashboard>
  <label>Packets</label>
  <row>
    <panel>
      <title>Daily</title>
      <chart>
        <search ref="Packets Daily" id="daily_report"></search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Weekly</title>
      <chart>
        <search id="weekly_report" base="daily_report">
          <query>
| timechart span=1w sum(*) as *
          </query>
        </search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Monthly</title>
      <chart>
        <search id="monthly_report" base="weekly_report">
          <query>
| timechart span=1mon sum(*) as *
          </query>
        </search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Yearly</title>
      <chart>
        <search base="monthly_report">
          <query>
| timechart span=1y sum(*) as *
          </query>
        </search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>

The base search could be daily_report in all cases, but by simply calling each subsequent search its own id, you can use the slightly smaller dataset for the larger granularity calculation.

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

You can have a single daily packet report which is given a search id and then in the weekly/monthly/yearly you can just reference the daily report and post process calculate the appropriate periods with whatever aggregation you need.

Let's assume your daily packets search looks like this

my_packet_search
| timechart span=1d count 

then your dashboard would look like this

<dashboard>
  <label>Packets</label>
  <row>
    <panel>
      <title>Daily</title>
      <chart>
        <search ref="Packets Daily" id="daily_report"></search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Weekly</title>
      <chart>
        <search id="weekly_report" base="daily_report">
          <query>
| timechart span=1w sum(*) as *
          </query>
        </search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Monthly</title>
      <chart>
        <search id="monthly_report" base="weekly_report">
          <query>
| timechart span=1mon sum(*) as *
          </query>
        </search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Yearly</title>
      <chart>
        <search base="monthly_report">
          <query>
| timechart span=1y sum(*) as *
          </query>
        </search>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</dashboard>

The base search could be daily_report in all cases, but by simply calling each subsequent search its own id, you can use the slightly smaller dataset for the larger granularity calculation.

yeahnah
Motivator

Agree, this is a far better solution, as 1 base search can give 4 panel results, unlike my suggested method which is less efficient with 4 base searches.

0 Karma

adsquaired
Explorer

I discovered the problem. The search behind the report was to restrictive on the time so I could not expand the time in the dashboard panels. Once I fixed that I was able to use the correct time modifiers in each panel. 

@bowesmana, I like the search id functionality and knowing I can tack span on to the query generated from the report is helpful.

0 Karma

yeahnah
Motivator

Hi @adsquaired 

Yes, you can use the savedsearch command and pass it the earliest and latest times as replaced field values.  Here's the doc ref.

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Savedsearch

As an example
1. Create a saved search (report)

 

index=_internal $earliest$ $latest$
| head 1
| addinfo
| foreach info_*_time [ eval <<FIELD>>=strftime('<<FIELD>>', "%c") ]
| table _time info_min_time info_max_time

 

yeahnah_0-1679537841664.png

2. Now run the report using the savedsearch command, passing in the earliest and latest variables as time modifiers (you can name these variables to whatever you like)

yeahnah_1-1679537912132.png

Note, the dashboard XML for the search would need to be something like this

 

<search>
  <query>| savedsearch mysavedsearch earliest="earliest=-24h@h" latest="latest=-1m@m"</query>
</search>

 

Hope this helps.

Please mark as solution provided if this works for you.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...