Splunk: Using Dynamic Panels

In most of the Organizations, many dashboards come with the big list of panels flooded on the dashboard. As a result, single page dashboard becomes multiple page report. To avoid this Splunk provide an option to create dynamic panels means we can hide panels from the dashboard when the search query is not returning any results.

E.g. consider below picture is one of the critical dashboards with multiple panels leaving supporting to ensure all panels are looked after

dyna

Where below dashboard is the same dashboard as above but with dynamic panels where the output is not shown when searches returned 0 records. This will help support team to monitor effectively with the right amount of data.

dyna2

We just need to make following changes in the dashboard code if we need to change panel visibility dynamic.

  • Linking panel to unique condition token_id

<panel depends=”$cond_token_a$” >

<search><query> —– </query>

<done>

<condition match=”‘job.resultCount’ &gt; 0″>

<set token=”cond_token_a”>true</set>

</condition>

<condition>

<unset token=”cond_token_a”></unset>

</condition>

</done>

</search>

</panel>

In above example, I am setting token to true when search returning at least 1 row. We can change this to any static value or can provide additional filtering in the search string as well.

The code remains same for any dashboard, we just need to ensure to give unique token id for each dynamic panel.

Thanks.

Advertisements

Splunk : Using DrillDown to connect two dashboards

Splunk does provide an option to connect 2 dashboards using drilldown option, that means when we click on any dashboard output it will open linked dashboard rather than search string. We can use drilldown option to map with specific dashboards or can take input from one dashboard and pass as variables to the next one.

  • Using Static Link:-  In order to create the drilldown mapping for any given panel on the dashboard we just simply add the following piece of code replacing mapped dashboard address.

setting drilldown option to all for generic cases

<option name=“drilldown”>all</option>

For Charts: – 

<option name=“charting.drilldown”>all</option>

For Tables: – 

<option name=“drilldown”>cell</option>

<drilldown>

<link> /app/APP_NAME/Dashboard_Name </link>

</drilldown>

  • Using with fix tokens:-

<option name=“drilldown”>all</option>

<drilldown>

<link> /app/APP_NAME/Dashboard_Name?form.tkn_Time.earlier=-60m@m&form.tkn_Time.latest=@m </link>

</drilldown>

Here @m will provide start time from start of the minute and again in the latest till the end of last minute.

  • Using dynamic field values:-  We can also use data published in the current dashboard as input for another dashboard. for e.g. we have dashboard providing the summary of placed orders at given time and another dashboard providing details of individual order from order id. Using drilldown we can link this 2 dashboard allowing users to any order data just by clicking order-id rather than searching and opening two dashboards every time.

 

<drilldown target=“_blank”>

<condition field=“ORDERID”>

<set token=“src_token”>$row.ORDERID$</set>

<link>

<![CDATA[ /

/app/APP_NAME/Dashboard_Name?form.tkn_Time.earliest=$tkn_Time.earliest$&form.tkn_Time.latest=$tkn_Time.latest$&form.tkn_searchID=$src_token$

]]>

</link>

</condition> </drilldown>

</drilldown>

In above examples token values can be changed as per your requriment.