- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare 2 queries in a dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare 2 queries in a dashboard
hello All,
I have created a dashboard with two panels. The first panel runs a search (query below) for time-window-1 and the second panel runs the same search for time-windows-2. Both the time windows are customizable on the dashboard and passed as parameters to the query as shown below.
index=dev sourcetype!=warn component AND errormessage earliest=$field1.earliest$ latest=$field1.latest$ | dedup errormessage,component
Currently each panel displays the unique results in the respective time window.
I want the dashboard to compare the results of time-window-1 and time-window-2 and display :
1. The unique results that are present in time-window-1 and NOT in time-window-2
2. The unique results that are present in time-window-2 and NOT in time-window-1
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the source for the dashboard.
<form>
<label>test-1</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="time" token="field2">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>time-window-1</title>
<event>
<search>
<query>index=dev sourcetype!=warn component AND errormessage earliest=$field1.earliest$ latest=$field1.latest$ | dedup errormessage,component</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
<panel>
<title>time-window-2</title>
<event>
<search>
<query>index=dev sourcetype!=warn component AND errormessage earliest=$field2.earliest$ latest=$field2.latest$ | dedup errormessage,component</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
