Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

For top 10 values, I need a dashboard/search for each value separately. Can this be done dynamically?

rubeniturrieta
Communicator
‎11-05-2014 12:57 PM

Hello

I have a table with the top 10 values for an ip sorted by occurrence. 

Place ip count
1 ip1 100
2 ip2 90
3 ip3 80
4 ip4 70
5 ip5 60 
6 ip6 50
7 ip7 40 
8 ip8 30 
9 ip9 20
10 ip10 10

But now, i need a dashboard for each value separately:

A search only for the first ip, another search only for the second ip, and so on. How can I do this dynamically? . Do you know some function to have something like this:

function(1) = ip1 (the max value)
function(2) = ip2 (the second max value)
function(3) = ip3 (the third max value)

I'll ve very grateful for your answer

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-05-2014 05:27 PM

As @martin_mueller said, Something like should work for you

App name- search
dashboard1.xml

<dashboard>
  <label>Dashboard1</label>
  <row>
    <panel>
      <table>
        <searchString>index=_internal | stats count by sourcetype |  sort - count | eval Place=1 | accum Place | table Place sourcetype count
        </searchString>
    <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
        <drilldown target="My New Window">
          <link>/app/search/dashboard2?sourcetype=$row.sourcetype$</link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>


dashboard2.xml

<dashboard>
  <label>Dashboard2</label>
  <row>
    <panel>
      <table>
        <title>Showing data for  $sourcetype$</title>
        <searchString>index=_internal sourcetype=$sourcetype$ | stats count by sourcetype        
    </searchString>
    <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-05-2014 05:27 PM

As @martin_mueller said, Something like should work for you

App name- search
dashboard1.xml

<dashboard>
  <label>Dashboard1</label>
  <row>
    <panel>
      <table>
        <searchString>index=_internal | stats count by sourcetype |  sort - count | eval Place=1 | accum Place | table Place sourcetype count
        </searchString>
    <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
        <drilldown target="My New Window">
          <link>/app/search/dashboard2?sourcetype=$row.sourcetype$</link>
        </drilldown>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>


dashboard2.xml

<dashboard>
  <label>Dashboard2</label>
  <row>
    <panel>
      <table>
        <title>Showing data for  $sourcetype$</title>
        <searchString>index=_internal sourcetype=$sourcetype$ | stats count by sourcetype        
    </searchString>
    <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
Reply
Solved! Jump to solution

rubeniturrieta
Communicator
‎11-06-2014 04:14 AM

@somesoni2 , @martin_mueller , thanks you so much, it worked!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-05-2014 03:44 PM

For example, you could create a dashboard with a dropdown input at the top, define its populating search as that top10 search, have the user select what value he wants to see, and set that value as a token in the dashboard's search.

That way you don't need ten dashboards that do basically the same thing. Here's a quick intro: http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/FormEditor

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...