Dashboards & Visualizations

Trying to understand how to display a specific chunk of data from a query via panels and inputs on a dashboard.

jrande28
Engager

Currently, I have created a dashboard with panels that have input selection. One specific panel displays application data listed by app, and highest to lowest based on the amount of bytes.


Currently, all of that is pulling fine. The issue is with what I am trying to accomplish next. I am trying to add a dropdown input selection that would allow you to choose to display the apps based on rank. For example:


Say I have apps listed by most amount of bytes sent, from highest to lowest, lets say 1-20. 1 being highest and 20 being lowest. I want to then have an input selection that allows me to choose to only display results 1-5, 6-10, 11-15, 16-20, etc. It will only be in groupings of 5 like that. I have posted my current query below. Please let me know if anymore details are needed for this. Also, the output is a column chart with the x-axis being "app" and the y-axis being "Total_Bytes".

index=your_index NOT app=not-applicable
| stats sum(bytes) AS "Total_Bytes" by app
| sort 5 -Total_Bytes
| eval Total_Bytes=round(Total_Bytes/$AppBytes$,2)

Basically, if I select the option from the dropdown to see the 6th-10th app, the query would be running, and ordering these apps from highest to lowest based on bytes while only displaying to me the 6th-10th highest apps from those results.


Oh and just an FYI on the query above. The "sort 5 -Total_Bytes" was only to eliminate alot of the noise from the results while testing this. Its not essential that it stay part of the query (unless sort is used in achieving the above). And then the eval piece relates to a dropdown that allows you to convert the bytes to MB, GB, etc.


Hope my description of what I am trying to achieve was clear enough. It seems like something that should be rather simple to do but I havent been able to wrap my head around it yet. Thanks in advance for any input!

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| sort -Total_Bytes
| streamstats count as rank
| $selection$

Then in your dropdown, set the value to an appropriate selection

<choice value="where rank &lt; 6">1-5</choice>
<choice vlaue="where rank &gt; 5 AND rank &lt; 11">6-10</choice>

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| sort -Total_Bytes
| streamstats count as rank
| $selection$

Then in your dropdown, set the value to an appropriate selection

<choice value="where rank &lt; 6">1-5</choice>
<choice vlaue="where rank &gt; 5 AND rank &lt; 11">6-10</choice>

jrande28
Engager

@ITWhisperer  Fantastic! That worked perfectly. Thanks for the help on this one.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...