0

Pardon me if someone has already asked this question, but since I haven't found a satisfactory answer so posting this query .

I am a beginner in Splunk. Just wanted to know if what I am trying to do is feasible or not .

I am trying to make a Splunk dashboard where it has 3 panels. I want to pass the result of one panel to another ,where it can be used in the query . Simply put, I want to find the count of an event : Firstly Month wise from a year(span=1mon). Then select the highest count month and find the count day wise(span=1d) for that month. From this month I want to select the day with highest count and then find the hour(span=1h) with highest event count. Right now I am doing this whole process manually.

  1. Find Month with max event count -> max_month
  2. Find Day with max event count from the max_month -> max_day
  3. Find Hour with max event count from max_day

Is it possible to automate this process using a dashboard where it can automatically select the max month, day and hour ?

I tried using nested query but wasnt able to make any significant progress .

Ashwini
  • 13
  • 4

1 Answers1

1

If you want to pass value from one panel to another panel, you need to define a token and set the search result of the first panel to that token. Then use that token in the second panel. Refer https://docs.splunk.com/Documentation/Splunk/7.2.0/Viz/ContextualDrilldown. They have good examples. Following is one that 

<dashboard>
  <row>
    <panel>
      <table>
        <title>Event counts by sourcetype</title>
        <search>
          <query>index=_internal | stats count by sourcetype</query>
        </search>
        <drilldown>
          <set token="show_panel">true</set>
          <set token="selected_value">$click.value$</set>
        </drilldown>
      </table>
    </panel>
    <panel depends="$show_panel$">
      <event>
        <title>Recent events for $selected_value$</title>
        <search>
          <query>index=_internal sourcetype=$selected_value$ </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="count">5</option>
      </event>
    </panel>
  </row>
</dashboard>

However, It is better to solve your problem using a query. To assist further, Can you post the nested query you have tried?

Inthirakumaaran
  • 369
  • 1
  • 8
  • Inthirakumaaran is correct, you can use tokens to pass values between dashboard elements. As he pointed out, a single query is a better approach. Can you provide the splunk search query that you have tried? – Simon Duff Feb 12 '20 at 00:22