Splunk Search

How to display 3 separate search results on one dashboard?

Explorer

For Example:
Suppose you have 3 numbers from search results: 1,000 2,000 and 3,000.

I want to be able to display 3,000-2,000 in a new panel with a new label. I was thinking perhaps append? I am somewhat new to Splunk.

Thanks again!

0 Karma
1 Solution

Explorer

Solved!

I tried to send this yesterday but splunk says I don't have enough reputation to post more than twice per day 😛

My solution for combining the three time specific (relative to current time) searches into one was to use the in-search time selection syntax to override the timepicker for each separate search and to link them together with sub searches. Then for each sub search instead of trying to eval the results like this:

 | eval diff=([a search] - [b sub search])

I appendcol'ed to my first search so that I could get them all in one table in the same row and three separate columns like this:

index=main earliest=now latest=+1hr | eval A=*data for A* | stats first(A)
| appendcols [search    
index=main earliest=@h latest=now | eval B=*data for B* | return $B ]
| eval C=('first(A)'-search) | table C

This also has the eval tacked onto the end to find the difference between event A and event B.

Thanks for your time and responses!

View solution in original post

Explorer

Solved!

I tried to send this yesterday but splunk says I don't have enough reputation to post more than twice per day 😛

My solution for combining the three time specific (relative to current time) searches into one was to use the in-search time selection syntax to override the timepicker for each separate search and to link them together with sub searches. Then for each sub search instead of trying to eval the results like this:

 | eval diff=([a search] - [b sub search])

I appendcol'ed to my first search so that I could get them all in one table in the same row and three separate columns like this:

index=main earliest=now latest=+1hr | eval A=*data for A* | stats first(A)
| appendcols [search    
index=main earliest=@h latest=now | eval B=*data for B* | return $B ]
| eval C=('first(A)'-search) | table C

This also has the eval tacked onto the end to find the difference between event A and event B.

Thanks for your time and responses!

View solution in original post

Esteemed Legend

Make sure you click Accept on your answer.

0 Karma

Esteemed Legend

Post your a minimal set of raw events, your base search and intermediate output, then a mockup of your desired output.

0 Karma

SplunkTrust
SplunkTrust

Do you get all 3 numbers from a single search? Do you get them in same row OR separate rows?

0 Karma

Explorer

I've modified it so that I can get them in the same search and I only have to do two at a time. So I think my question has somewhat changed. They're in different columns and different rows of a table now and I'd like to make a third result that is the difference between the two. I was thinking an eval like such:

| eval diff=(A-B) but no dice here

On a side note it would still be interesting if it could be done as separate searches. So if you know how to do that, that'd be great!

0 Karma

SplunkTrust
SplunkTrust

It will be helpful if you can post your current search. The regular eval diff only works if the columns are in same row.

0 Karma