Solved: dynamic ordering of panels in dashboard based on s...

danan5 · ‎02-10-2021

Hi,

Not sure this is possible but. . . .If I have a series of panels on a dashboard and each presents a series of metrics. Is it possible to change the order of the panels based on a search result?

Another way to explain it, if each panel represents one of many systems and I would like the system with the lowest metric to be presented first/top.

Thanks,

David

bowesmana · ‎02-10-2021

If each panel contains the same search, other than the system, then you could run a background search that determines the order and then assign a token to the first, second, third and so on, e.g. this works our the most frequent user in audit log and then creates a table of 'systems' of that user

index=_audit 
| top showperc=f user
| streamstats c
| eval system="system_".c
| table system user
| transpose 0 header_field=system

and then the <done> part of the search would be

<done>
  <set token="system_1">$result.system_1$</done>
  <set token="system_2">$result.system_2$</done>
  <set token="system_3">$result.system_3$</done>
  <set token="system_4">$result.system_4$</done>
  <set token="system_5">$result.system_5$</done>
  <set token="system_6">$result.system_6$</done>
  <set token="system_7">$result.system_7$</done>
  <set token="system_8">$result.system_8$</done>
  <set token="system_9">$result.system_9$</done>
  <set token="system_10">$result.system_10$</done>
</done>

The search in each panel would then have something like

Panel 1: search is <search> system=$system_1$

Panel 2: search is <search> system=$system_2$

and so on.

i.e. something like

<panel depends=$system_1$>
panel_type....
  <search depends=$system_1$>
    <query>
bla bla bla system=$system_1$
| stats count by bla
    </query>
  </search>
<panel>

The depends statements would then hide/not execute the searches for systems that do not have data.

You could then have a catch all panel that does

search NOT (system=$system_1$ OR system=$system_2$...)

View solution in original post

danan5 · ‎02-10-2021

Thank you very much I will give that a try.

bowesmana · ‎02-10-2021

If each panel contains the same search, other than the system, then you could run a background search that determines the order and then assign a token to the first, second, third and so on, e.g. this works our the most frequent user in audit log and then creates a table of 'systems' of that user

index=_audit 
| top showperc=f user
| streamstats c
| eval system="system_".c
| table system user
| transpose 0 header_field=system

and then the <done> part of the search would be

<done>
  <set token="system_1">$result.system_1$</done>
  <set token="system_2">$result.system_2$</done>
  <set token="system_3">$result.system_3$</done>
  <set token="system_4">$result.system_4$</done>
  <set token="system_5">$result.system_5$</done>
  <set token="system_6">$result.system_6$</done>
  <set token="system_7">$result.system_7$</done>
  <set token="system_8">$result.system_8$</done>
  <set token="system_9">$result.system_9$</done>
  <set token="system_10">$result.system_10$</done>
</done>

The search in each panel would then have something like

Panel 1: search is <search> system=$system_1$

Panel 2: search is <search> system=$system_2$

and so on.

i.e. something like

<panel depends=$system_1$>
panel_type....
  <search depends=$system_1$>
    <query>
bla bla bla system=$system_1$
| stats count by bla
    </query>
  </search>
<panel>

The depends statements would then hide/not execute the searches for systems that do not have data.

You could then have a catch all panel that does

search NOT (system=$system_1$ OR system=$system_2$...)

dynamic ordering of panels in dashboard based on search results

javascript

other

panel

token

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!