Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display timechart by adding values from other panels

balash1979
Path Finder
‎08-03-2019 10:33 PM

I have 3 panels. Each panel runs a query and displays the result in timechart. This works fine.
Now , I would like to add a 4th panel and display the results from the first 3 panel queries in timechart. How can I achieve that ?
I dont want to run the queries again in the 4th panel. Just need to do display the total time = time1+time2+time3.

<row>
<panel>
  <title>First panel</title>
  <chart>
    <search>
      <query> <<some_query>> |  timechart avg(time1) </query>
     </search>
  </chart>
</panel>
</row>

<row>
<panel>
  <title>Second panel</title>
  <chart>
    <search>
      <query> <<some_query>> | timechart avg(time2) </query>
     </search>
   </chart>
</panel>
</row>


<row>
<panel>
  <title>Third panel</title>
  <chart>
    <search>
      <query> <<some_query>> | timechart avg(time3) </query>
     </search>
  </chart>
</panel>
</row>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎08-04-2019 12:47 AM

Hi @balash1979, You're looking for total time as a timechart as well ? The sum of averages doesn't really make sense does it ? What exactly are you trying to achieve and why don't you simply put the three charts and the total on the same panel ?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-04-2019 07:40 AM

@balash1979 if your three searches are correlated then run a base search with results for three panel and then perform post processing to display individual series as per your needs. Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Examples_2

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

arjunpkishore5
Motivator
‎08-04-2019 07:32 AM

Why do you not want to run the queries again? IF it is for performance, I would suggest collecting the results to a summary index and running your fourth query against the summary index.

Another solution is to save your queries as a saved search which returns time1, time2, time3 or total based on a parameter.

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎08-04-2019 12:47 AM

Hi @balash1979, You're looking for total time as a timechart as well ? The sum of averages doesn't really make sense does it ? What exactly are you trying to achieve and why don't you simply put the three charts and the total on the same panel ?

0 Karma
Reply
Solved! Jump to solution

balash1979
Path Finder
‎08-04-2019 07:16 AM

I have a product use case in which each panel is built to provide average times. But the overall start to end time is calculated based by adding all the 3 different times and hence i am adding the averages.

If I have all the 3 queries in the same panel and show the total, how can i accomplish that ?

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎08-04-2019 07:22 AM

You can appendcols multiple time charts and then simply use addtotals as @Sukisen1981 said.

To append time charts have a look here :
https://answers.splunk.com/answers/7556/timechart-how-do-i-combine-these-two-charts-into-one.html

Let me know if that works for you!

0 Karma
Reply
Solved! Jump to solution

balash1979
Path Finder
‎08-04-2019 07:49 AM

Thanks that works.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎08-04-2019 09:48 AM

Awesome ! I changed this to an answer, please up-vote and accept it 🙂

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-04-2019 01:31 AM

hi @balash1979

Same question as @DavidHourani - Isnt having 1 panel with all 3 times and a addtotals to sum up the times a better option? In case your use case demands separation of the panels and you want a 4th panel displaying total times, the best way is to still write all 3 queries, do a addtotals and then display only the totals in a single panel.
You say - 'I dont want to run the queries again in the 4th panel' , any reason? If you are worried about query execution time or performance and your base queries are taking long to load, it does not matter whether you have a 4th panel or not, the dashboard will still be slow. Can you please clarify?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...