Dashboards & Visualizations

show all panels output to single panel in a dashabord

Explorer

Hi Splunkers,

I have 6 panels in my dashboard and all the panels have different underlying query but the output fields in the panel stats table are same and the results in all the panels look like the below sample table.

I want to club all the results into a single panel/table at the end.So i just want to display one panel which contains the results from all the other panels.

Thank you.

user action time object group difference modifier
zbc xyz 10-Sep hddh dj-dhdh 6 jhyy
dhdh cnnc 10-Sep fhfhf jjj-ggg 8 gg

0 Karma
1 Solution

Contributor

Hi,
I assume that you just want one final table in your dashboard and not 6 sub-tables plus one final. Nevertheless, the approach to solve this question is the same. What I suggest is to cascade the searches:

<dashboard>
<label>Test Dashboard</label>
<search id="result1">
<query>
  | makeresults | eval user="zbc" | eval action="xyz" | eval time="10-Sep" | eval object="hddh" | eval difference="1" 
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search id="result2" base="result1">
<query>
  |append [ | makeresults | eval user="zyy" | eval action="Qyz" | eval time="11-Sep" | eval object="hddh" | eval difference="2" ]
</query>
</search>
<search id="result3" base="result2">
<query>
  |append [ | makeresults | eval user="zyty" | eval action="QQyz" | eval time="12-Sep" | eval object="hddh" | eval difference="3" ]
</query>
</search>
<row>
<panel>
  <table>
    <title>Result Table</title>
    <search base="result3">
      <query>|table *</query>

    </search>
  </table>
</panel>
</row>
</dashboard>

This executes the searches sequentially and appends the results
Hope it helps
Oliver

View solution in original post

0 Karma

Esteemed Legend

Do it like this:

Your Search Here with all stuff combined
| multireport
[ stats some stuff here]
...
[ stats other stuff here]
0 Karma

Contributor

Hi woodcock, do you refer to multisearch?

0 Karma

Contributor

Hi,
I assume that you just want one final table in your dashboard and not 6 sub-tables plus one final. Nevertheless, the approach to solve this question is the same. What I suggest is to cascade the searches:

<dashboard>
<label>Test Dashboard</label>
<search id="result1">
<query>
  | makeresults | eval user="zbc" | eval action="xyz" | eval time="10-Sep" | eval object="hddh" | eval difference="1" 
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<search id="result2" base="result1">
<query>
  |append [ | makeresults | eval user="zyy" | eval action="Qyz" | eval time="11-Sep" | eval object="hddh" | eval difference="2" ]
</query>
</search>
<search id="result3" base="result2">
<query>
  |append [ | makeresults | eval user="zyty" | eval action="QQyz" | eval time="12-Sep" | eval object="hddh" | eval difference="3" ]
</query>
</search>
<row>
<panel>
  <table>
    <title>Result Table</title>
    <search base="result3">
      <query>|table *</query>

    </search>
  </table>
</panel>
</row>
</dashboard>

This executes the searches sequentially and appends the results
Hope it helps
Oliver

View solution in original post

0 Karma

Explorer

I tried but not able to see any results being generated.Can you please provide sample run anywhere code .Thank you

0 Karma

Contributor

Please create an empty dashboard, edit source and paste the code that I've inserted above.
Oliver

0 Karma

Explorer

Thanks for the update, but the export option for the result table panel is disabled .How to make that enable and download the CSV file

0 Karma

Contributor

It is a known bug when using the base search feature. Please take a look at the "base-search" feature documentation. You can always press the "open in search". Once you have opened it in a new search window, you can export to csv. Alternatively, you could use the outputcsv command: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Outputcsv

0 Karma

SplunkTrust
SplunkTrust

@kranthimutyala could you add more details as to why you have six different panels for similar results? What is the difference between each of the 6 different panels?

Also for the community to assist you better if you can provide your current SPL and sample data output for each of the six panels that would be great.

Please mock/anonymize any sensitive information before posting on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma