Splunk Search

Search 1 dashboard panel - Search 2 dashboard panel = third dashboard panel difference between two searches.

pir8radio
Path Finder

Search 1 dashboard panel - Search 2 dashboard panel = third dashboard panel difference between two searches.

 

Here is my first search:

index="signa_pool" name!="Pir8Radio"| stats sum(pendingBalanceNum)

The result of the above is :  595.3440

Here is my second search:

index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)

The result of the above is: 1,904.5167

I need the third dashboard panel to take 1,904.5167 - 595.3440 = 1,309.1727

MY QUESTION:  How can I either create my end search that equals 1,309.1727 or how can i store previous search results as a variable to use in the third panel?      I'm stuck lol, tried for about an hour, so any help would be greatly appreciated.

pir8radio_0-1628966623145.png

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Add a <done> element to each of the first panels and have it set a token with the value calculated by each panel.  You may find it easier to use the AS clause of the stats command to save the value in a field with a simple name.  The third panel will use the two tokens to compute the final result.

Below is a rough untested idea of how to do it.

<row>
  <panel>
    <singleValue>
      <search>
        <query>index="signa_pool" name!="Pir8Radio"| stats sum(pendingBalanceNum) as Value1</query>
      </search>
      <done>
        <set token=Panel1Value>$result.Value1$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)</query>
      </search>
      <done>
        <set token=Panel2Value>$result.PoolBal$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>| makeresults | eval Excess=$Panel2Value$ - $Panel1Value$</query>
      </search>
    </singleValue>
  </panel>
</row>

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Add a <done> element to each of the first panels and have it set a token with the value calculated by each panel.  You may find it easier to use the AS clause of the stats command to save the value in a field with a simple name.  The third panel will use the two tokens to compute the final result.

Below is a rough untested idea of how to do it.

<row>
  <panel>
    <singleValue>
      <search>
        <query>index="signa_pool" name!="Pir8Radio"| stats sum(pendingBalanceNum) as Value1</query>
      </search>
      <done>
        <set token=Panel1Value>$result.Value1$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)</query>
      </search>
      <done>
        <set token=Panel2Value>$result.PoolBal$</set>
      </done>
    </singleValue>
  </panel>
  <panel>
    <singleValue>
      <search>
        <query>| makeresults | eval Excess=$Panel2Value$ - $Panel1Value$</query>
      </search>
    </singleValue>
  </panel>
</row>

 

---
If this reply helps you, Karma would be appreciated.

pir8radio
Path Finder

Here is what I had to change for anyone else looking,   had to add " " to the token=XXXX value, and had to put the <done> block within the <search> blocks.    Thanks Rich.

 

  <row>
    <panel>
      <single>
        <title>Server Pending Payout</title>
        <search>
          <query>index="signa_pool" name!="Pir8Radio"|  stats sum(pendingBalanceNum) as PendingBalance</query>
          <earliest>-2m</earliest>
          <latest>now</latest>
          <done>
            <set token="Panel1Value">$result.PendingBalance$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.000</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="unit">SIGNA</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Pool Account Balance</title>
        <search>
          <query>index="signum_node" | stats latest(guaranteedBalanceNQT) as PoolBal | eval PoolBal=round(PoolBal/100000000,4)</query>
          <earliest>-2m</earliest>
          <latest>now</latest>
          <done>
            <set token="Panel2Value">$result.PoolBal$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="height">114</option>
        <option name="numberPrecision">0.000</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="unit">SIGNA</option>
      </single>
    </panel>
    <panel>
      <single>
        <title>Pool Excess</title>
        <search>
          <query>| makeresults | eval Excess=$Panel2Value$ - $Panel1Value$</query>
          <earliest>-2m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">111</option>
        <option name="numberPrecision">0.000</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="unit">SIGNA</option>
      </single>
    </panel>
  </row>
  <row>

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...