Hello,
i have on a dashboard with 5 different searches, where i have a common (calculated) field (let's call it a score field), that i would like to extract and sum all the score field, in order to have a total score and then the average score.
is that possible? and how?
thank you very much for your help
Within the scope of a dashboard, you could have each search populate a token $score_1$
, $score_2$
, etc. and then merge the five tokens into one overall score token - that score token can then be displayed in an HTML panel or whereever you like.
Docs for setting the individual score tokens: http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/EventHandlerReference#done
Working example:
<dashboard>
<label>score</label>
<row>
<panel>
<table>
<search>
<query>index=_internal | stats count</query>
<earliest>-15m</earliest>
<latest>now</latest>
<done>
<set token="score_1">$result.count$</set>
</done>
</search>
</table>
<table>
<search>
<query>index=_audit | stats count</query>
<earliest>-15m</earliest>
<latest>now</latest>
<done>
<set token="score_2">$result.count$</set>
</done>
</search>
</table>
<table>
<search>
<query>| makeresults | eval score = $score_1$ + $score_2$</query>
</search>
</table>
</panel>
</row>
</dashboard>