Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get the exact row from a results table to use for other panel searches in the same dashboard?

belladonna
New Member
‎06-16-2016 02:36 AM

Hello!

I want to make an error monitoring dashboard. I want to have a table with (operation| okOperations/allOperations) and 4 timechart panels with top-error operations, that work dynamically.

For the first table I have a search

index=prt result=*
| eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
| eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio

It returns result table 

<table>
    <tr>
        <td>operation</td>
        <td>result</td>
    </tr>
    <tr>
        <td>check</td>
        <td>1</td>
    </tr>
    <tr>
        <td>search</td>
        <td>0. 2</td>
    </tr>
    <tr>
        <td>buy</td>
        <td>0.2</td>
    </tr>
</table>

Now I want to use operations names in 3 new searches (for 3 panels) like this:
|rownum = 1 |timechart count(operation) by result

|rownum = 2 |timechart count(operation) by result

|rownum = 3 |timechart count(operation) by result

I don't want to use | streamstats count as rownum, because it works very slowly. How can I make a search for panels?
It will be good to use hidden search and then reuse its results in panels.

0 Karma
Reply

sundareshr
Legend
‎06-16-2016 05:57 AM

Like this

*For the first row*

 ... | head 1

*For the second row*

... | head 2 | tail | head 1

**** For the third row****

... | tail 1
0 Karma
Reply

spunk_enthusias
Path Finder
‎01-20-2023 04:21 AM

Is there really no better way than this?

0 Karma
Reply

belladonna
New Member
‎06-17-2016 04:06 AM 
 index=prt result=*
 | eventstats c(eval(result!="")) as totalOp c(eval(result="OK")) as okOp by operation 
 | eval ratio=1-okOp/totalOp|stats max(ratio) as ratio by operation | sort 3 -ratio| head 1|timechart count(operation) by result

doesn't return anything

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...