Solved: Re: Need to add Additional panel with total?

renuka · ‎06-01-2021

Hello

"Good Day"

I am trying to add the extra column for totals. If you observe above picture, I have four counts of domain and now i need one more column which gives sum of all the above columns and it should be seen in dashboard

I need to get output of field domain in this form
Can you please help me to find the solutions.

gcusello · ‎06-02-2021

Hi @renuka,

You have to create a Post Process Search containing your full search (without addcoltotals).

e.g.:

...
| stats count BY CRS_Domain

and in each panel call the base search adding an additional search filtering in each panel put a final filter, e.g. if your base search is called "basesearch", in the "V&V" panel you'll have:

<search base="basesearch">
     <query>
          | search CRS_Domain="V&V"
          | table count
     </query>
</search>

instead in the last panle (total), you have to add:

<search base="basesearch">
     <query>
          | addcoltotals labelfield=CRS_Domain label="Total"
          | search sourcetype=Total
          | table count
     </query>
</search>

If you want to better understand how Post process Search works see at https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/Savedsearches#Post-process_searches_2 or see the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-01-2021

Hi @renuka,

the searches of the panels, are similar or all different?

because it isn't possible to pass a token from a panel to another without drilldown,

so in the total panel you have to use a search that gives all the values to sum.

So if they are similar, you could create a post process search and put in each panel the value.

Ciao.

Giuseppe

renuka · ‎06-02-2021

@gcusello
They are similar

I tried adding addcoltotals which actually giving me the sum of all the above but in visualizaton i couldn't display all four value count and total

gcusello · ‎06-02-2021

Hi @renuka,

You have to create a Post Process Search containing your full search (without addcoltotals).

e.g.:

...
| stats count BY CRS_Domain

and in each panel call the base search adding an additional search filtering in each panel put a final filter, e.g. if your base search is called "basesearch", in the "V&V" panel you'll have:

<search base="basesearch">
     <query>
          | search CRS_Domain="V&V"
          | table count
     </query>
</search>

instead in the last panle (total), you have to add:

<search base="basesearch">
     <query>
          | addcoltotals labelfield=CRS_Domain label="Total"
          | search sourcetype=Total
          | table count
     </query>
</search>

If you want to better understand how Post process Search works see at https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/Savedsearches#Post-process_searches_2 or see the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Ciao.

Giuseppe

renuka · ‎06-02-2021

@gcusello

Thank you for helping

gcusello · ‎06-02-2021

Hi @renuka,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Need to add Additional panel with total?

stats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases