Solved: Re: dynamic ordering of panels in dashboard based ...

danan5 · ‎02-10-2021

Hi,

Not sure this is possible but. . . .If I have a series of panels on a dashboard and each presents a series of metrics. Is it possible to change the order of the panels based on a search result?

Another way to explain it, if each panel represents one of many systems and I would like the system with the lowest metric to be presented first/top.

Thanks,

David

bowesmana · ‎02-10-2021

If each panel contains the same search, other than the system, then you could run a background search that determines the order and then assign a token to the first, second, third and so on, e.g. this works our the most frequent user in audit log and then creates a table of 'systems' of that user

index=_audit 
| top showperc=f user
| streamstats c
| eval system="system_".c
| table system user
| transpose 0 header_field=system

and then the <done> part of the search would be

<done>
  <set token="system_1">$result.system_1$</done>
  <set token="system_2">$result.system_2$</done>
  <set token="system_3">$result.system_3$</done>
  <set token="system_4">$result.system_4$</done>
  <set token="system_5">$result.system_5$</done>
  <set token="system_6">$result.system_6$</done>
  <set token="system_7">$result.system_7$</done>
  <set token="system_8">$result.system_8$</done>
  <set token="system_9">$result.system_9$</done>
  <set token="system_10">$result.system_10$</done>
</done>

The search in each panel would then have something like

Panel 1: search is <search> system=$system_1$

Panel 2: search is <search> system=$system_2$

and so on.

i.e. something like

<panel depends=$system_1$>
panel_type....
  <search depends=$system_1$>
    <query>
bla bla bla system=$system_1$
| stats count by bla
    </query>
  </search>
<panel>

The depends statements would then hide/not execute the searches for systems that do not have data.

You could then have a catch all panel that does

search NOT (system=$system_1$ OR system=$system_2$...)

View solution in original post

danan5 · ‎02-10-2021

Thank you very much I will give that a try.

bowesmana · ‎02-10-2021

If each panel contains the same search, other than the system, then you could run a background search that determines the order and then assign a token to the first, second, third and so on, e.g. this works our the most frequent user in audit log and then creates a table of 'systems' of that user

index=_audit 
| top showperc=f user
| streamstats c
| eval system="system_".c
| table system user
| transpose 0 header_field=system

and then the <done> part of the search would be

<done>
  <set token="system_1">$result.system_1$</done>
  <set token="system_2">$result.system_2$</done>
  <set token="system_3">$result.system_3$</done>
  <set token="system_4">$result.system_4$</done>
  <set token="system_5">$result.system_5$</done>
  <set token="system_6">$result.system_6$</done>
  <set token="system_7">$result.system_7$</done>
  <set token="system_8">$result.system_8$</done>
  <set token="system_9">$result.system_9$</done>
  <set token="system_10">$result.system_10$</done>
</done>

The search in each panel would then have something like

Panel 1: search is <search> system=$system_1$

Panel 2: search is <search> system=$system_2$

and so on.

i.e. something like

<panel depends=$system_1$>
panel_type....
  <search depends=$system_1$>
    <query>
bla bla bla system=$system_1$
| stats count by bla
    </query>
  </search>
<panel>

The depends statements would then hide/not execute the searches for systems that do not have data.

You could then have a catch all panel that does

search NOT (system=$system_1$ OR system=$system_2$...)

dynamic ordering of panels in dashboard based on search results

javascript

panel

token

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?