Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add multiple duration from multiple indepen...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smhsplunk
Communicator
10-12-2016
04:53 PM
So I am running multiple single valued transactions and putting the values in eval keywords, but I want to add all these new values to get the total value (duration1+duration2+....) and show it in another panel. Here is my following transactions I am running. They are all run separate inside a single row
index=main host=host1 | transaction startswith="keyword1" endswith="keyword1_ending" | eval keyword1_duration = duration | stats sum(keyword1_duration)
index=main host=host1 | transaction startswith="keyword2" endswith="keyword2_ending" | eval keyword2_duration = duration | stats sum(keyword2_duration)
how do I add these values ? Do I have to define a token on each block to use that value across panels ?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-12-2016
08:28 PM
If you're using Splunk 6.3 and above, something like this would work. (Update the queries accourdingly). (Run Anywhere sample)
<dashboard>
<label>PanelsWithTokenAdd</label>
<row>
<panel>
<single>
<title>Sourcetype count</title>
<search>
<query>index=_internal | stats dc(sourcetype) as sourcetypes</query>
<earliest>@d</earliest>
<latest>now</latest>
<done>
<set token="sourcetypes">$result.sourcetypes$</set>
</done>
</search>
</single>
</panel>
<panel>
<single>
<title>Sources</title>
<search>
<query>index=_internal | stats dc(source) as sources</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<done>
<set token="sources">$result.sources$</set>
</done>
</search>
</single>
</panel>
<panel>
<single>
<title>Sourcetypes + Source</title>
<search>
<query>| gentimes start=-1 | eval sourcetypes="$sourcetypes$" | eval sources="$sources$" | eval all=sourcetypes+sources | table all</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
</single>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-12-2016
08:28 PM
If you're using Splunk 6.3 and above, something like this would work. (Update the queries accourdingly). (Run Anywhere sample)
<dashboard>
<label>PanelsWithTokenAdd</label>
<row>
<panel>
<single>
<title>Sourcetype count</title>
<search>
<query>index=_internal | stats dc(sourcetype) as sourcetypes</query>
<earliest>@d</earliest>
<latest>now</latest>
<done>
<set token="sourcetypes">$result.sourcetypes$</set>
</done>
</search>
</single>
</panel>
<panel>
<single>
<title>Sources</title>
<search>
<query>index=_internal | stats dc(source) as sources</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<done>
<set token="sources">$result.sources$</set>
</done>
</search>
</single>
</panel>
<panel>
<single>
<title>Sourcetypes + Source</title>
<search>
<query>| gentimes start=-1 | eval sourcetypes="$sourcetypes$" | eval sources="$sources$" | eval all=sourcetypes+sources | table all</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
</single>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smhsplunk
Communicator
10-13-2016
10:19 AM
Great this works! How do I put default value of tokens to zero ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-13-2016
11:13 AM
Try replacing | eval all=sourcetypes+sources with | eval all=coalesce(sourcetypes+sources,0) in 3rd panel search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-12-2016
05:17 PM
Can an event have more than one keyword (start or end)?
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
