Solved: Search 1 dashboard panel - Search 2 dashboard pane...

pir8radio · ‎08-14-2021

Search 1 dashboard panel - Search 2 dashboard panel = third dashboard panel difference between two searches.

Here is my first search:

index="signa_pool" name!="Pir8Radio"| stats sum(pendingBalanceNum)

The result of the above is : 595.3440

Here is my second search:

index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)

The result of the above is: 1,904.5167

I need the third dashboard panel to take 1,904.5167 - 595.3440 = 1,309.1727

MY QUESTION: How can I either create my end search that equals 1,309.1727 or how can i store previous search results as a variable to use in the third panel? I'm stuck lol, tried for about an hour, so any help would be greatly appreciated.

richgalloway · ‎08-14-2021

Add a <done> element to each of the first panels and have it set a token with the value calculated by each panel. You may find it easier to use the AS clause of the stats command to save the value in a field with a simple name. The third panel will use the two tokens to compute the final result.

Below is a rough untested idea of how to do it.

<row>
  <panel>
    <singleValue>
      <search>
        <query>index="signa_pool" name!="Pir8Radio"| stats sum(pendingBalanceNum) as Value1</query>
      </search>
      <done>
        <set token=Panel1Value>$result.Value1$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)</query>
      </search>
      <done>
        <set token=Panel2Value>$result.PoolBal$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>| makeresults | eval Excess=$Panel2Value$ - $Panel1Value$</query>
      </search>
    </singleValue>
  </panel>
</row>

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-14-2021

Add a <done> element to each of the first panels and have it set a token with the value calculated by each panel. You may find it easier to use the AS clause of the stats command to save the value in a field with a simple name. The third panel will use the two tokens to compute the final result.

Below is a rough untested idea of how to do it.

<row>
  <panel>
    <singleValue>
      <search>
        <query>index="signa_pool" name!="Pir8Radio"| stats sum(pendingBalanceNum) as Value1</query>
      </search>
      <done>
        <set token=Panel1Value>$result.Value1$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)</query>
      </search>
      <done>
        <set token=Panel2Value>$result.PoolBal$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>| makeresults | eval Excess=$Panel2Value$ - $Panel1Value$</query>
      </search>
    </singleValue>
  </panel>
</row>

---
If this reply helps you, Karma would be appreciated.

pir8radio · ‎08-14-2021

Here is what I had to change for anyone else looking, had to add " " to the token=XXXX value, and had to put the <done> block within the <search> blocks. Thanks Rich.

  <row>
    <panel>
      <single>
        <title>Server Pending Payout</title>
        <search>
          <query>index="signa_pool" name!="Pir8Radio"|  stats sum(pendingBalanceNum) as PendingBalance</query>
          <earliest>-2m</earliest>
          <latest>now</latest>
          <done>
            <set token="Panel1Value">$result.PendingBalance$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.000</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="unit">SIGNA</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Pool Account Balance</title>
        <search>
          <query>index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)</query>
          <earliest>-2m</earliest>
          <latest>now</latest>
          <done>
            <set token="Panel2Value">$result.PoolBal$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="height">114</option>
        <option name="numberPrecision">0.000</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="unit">SIGNA</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Pool Excess</title>
        <search>
          <query>| makeresults | eval Excess=$Panel2Value$ - $Panel1Value$</query>
          <earliest>-2m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">111</option>
        <option name="numberPrecision">0.000</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="unit">SIGNA</option>
      </single>
    </panel>
  </row>
  <row>

Search 1 dashboard panel - Search 2 dashboard panel = third dashboard panel difference between two searches.

other

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk