Hi everybody,
I am creating a Dashboard using Splunk and I'm searching for a solution.
I have a list machine according to the type from an Excel file.
I have a dbxquery to get data of each machine from DB then using lookup, I now can get the count of event by each type.
What I want to do next, is add drilldowns in the dashboard, to distinguish the type, base on the number of machine, for ex: if there is < 50 machines, the type will list in the drilldown 1, if > 50, types will be listed in the drilldown 2.
The reason to seperate into 2 group because I want to set the timechart span differently, span =1h for drilldown 1 and span =2h for drill down 2
Here is my script:
|dbxquery connection="server" query="SELECT *
FROM table "
|lookup lookup.csv numero OUTPUT type
|eval _time=strptime(time_receive,"%Y-%m-%dT%H:%M:%S.%N")
|timechart span=2h count by type
| untable _time type count_event
| makecontinuous
| fillnull value=0
| where count_event = 0
| sort - _time
Can I do something in the search, like: If I click on the drilldown 1, I'll run the search with span =1h, when I choose from drilldown 2, I'll run the search with span =2h?
I also want to have option ALL in each drilldown
Do you have any idea?
Thanks,
Julia
The dashboard below should give you an idea of how you can do the two drop downs.
There still needs to be some tweaking to allow "all" as a selectable item.
I did try and do something where you can change the "span" based on the dropdown chosen, but it is tricker than I thought and will probably need some tokens to be set in the XML of the dashboard itself.
<form version="1.1">
<label>test community dash</label>
<search id="base1">
<query>| makeresults count=100 | streamstats count | eval type=case(count<20,"type1",count>19 AND count<50,"type2",1=1,"type3")
| stats count as machine_count by type</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<fieldset submitButton="false">
<input type="dropdown" token="type_less_than_30">
<label>Type: Machine Count <30</label>
<fieldForLabel>type</fieldForLabel>
<fieldForValue>type</fieldForValue>
<search base="base1">
<query>| where machine_count<30</query>
</search>
<choice value="*">All</choice>
<default>*</default>
<!--<suffix>:::1h</suffix>-->
</input>
<input type="dropdown" token="type_greater_than_30">
<label>Type: Machine Count >30</label>
<fieldForLabel>type</fieldForLabel>
<fieldForValue>type</fieldForValue>
<search base="base1">
<query>| where machine_count>=30</query>
</search>
<choice value="*">All</choice>
<default>*</default>
<!--<suffix>:::2h</suffix>-->
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=100 | streamstats count | eval type=case(count<20,"type1",count>19 AND count<50,"type2",1=1,"type3")
| stats count as machine_count by type | eval less_than_30_type="$type_less_than_30$" | eval greater_than_30_type="$type_greater_than_30$" | eval type_selected=if(match(greater_than_30_type,"\*"),less_than_30_type,greater_than_30_type) | where type=type_selected</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Hi Julia,
Yes I think you can do both of these things.
Can you clarify for me if the search you provided will be part of a dashboard panel, or if this search is what sits behind the dropdown(s)?