topic Re: Customize the Episode Review dashboard using a JSON-formatted dashboard definition in Splunk ITSI

Customize the Episode Review dashboard using a JSON-formatted dashboard definition

MaximilianoML — Thu, 26 Sep 2024 10:11:21 GMT

Hello, guys!

I'm trying to use the episodes table as the base search in the Edit Dashboard view, as well in the Dashboard Classic using the source, but here we already have the results in the table. I'll attach my code snippet below:

{ "dataSources": { "dsQueryCounterSearch1": { "options": { "query": "| where AlertSource = AWS and AlertSeverity IN (6,5,4,3,1) | dedup Identifier | stats count as AWS", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" }, "mttrSearch": { "options": { "query": "| `itsi_event_management_get_mean_time(resolved)`", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" }, "episodesBySeveritySearch": { "options": { "query": "|`itsi_event_management_episode_by_severity`", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" }, "noiseReductionSearch": { "options": { "query": "| `itsi_event_management_noise_reduction`", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" }, "percentAckSearch": { "options": { "query": "| `itsi_event_management_get_episode_count(acknowledged)` | eval acknowledgedPercent=(Acknowledged/total)*100 | table acknowledgedPercent", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" }, "mttaSearch": { "options": { "query": "| `itsi_event_management_get_mean_time(acknowledged)`", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" } }, "visualizations": { "vizQueryCounterSearch1": { "title": "Query Counter 1", "type": "splunk.singlevalue", "options": { "backgroundColor": "#ffffff", "sparklineDisplay": "off", "trendDisplay": "off", "trendValue": 0 }, "dataSources": { "primary": "dsQueryCounterSearch1" } }, "episodesBySeverity": { "title": "Episodes by Severity", "type": "splunk.bar", "options": { "backgroundColor": "#ffffff", "barSpacing": 5, "dataValuesDisplay": "all", "legendDisplay": "off", "showYMajorGridLines": false, "yAxisLabelVisibility": "hide", "xAxisMajorTickVisibility": "hide", "yAxisMajorTickVisibility": "hide", "xAxisTitleVisibility": "hide", "yAxisTitleVisibility": "hide" }, "dataSources": { "primary": "episodesBySeveritySearch" } }, "noiseReduction": { "title": "Total Noise Reduction", "type": "splunk.singlevalue", "options": { "backgroundColor": "> majorValue | rangeValue(backgroundColorThresholds)", "numberPrecision": 2, "sparklineDisplay": "off", "trendDisplay": "off", "trendValue": 0, "unit": "%" }, "context": { "backgroundColorThresholds": [ { "from": 95, "value": "#65a637" }, { "from": 90, "to": 95, "value": "#6db7c6" }, { "from": 87, "to": 90, "value": "#f7bc38" }, { "from": 85, "to": 87, "value": "#f58f39" }, { "to": 85, "value": "#d93f3c" } ] }, "dataSources": { "primary": "noiseReductionSearch" } }, "percentAck": { "title": "Episodes Acknowledged", "type": "splunk.singlevalue", "options": { "backgroundColor": "#ffffff", "numberPrecision": 2, "sparklineDisplay": "off", "trendDisplay": "off", "trendValue": 0, "unit": "%" }, "dataSources": { "primary": "percentAckSearch" } }, "mtta": { "title": "Mean Time to Acknowledged", "type": "splunk.singlevalue", "options": { "backgroundColor": "#ffffff", "sparklineDisplay": "off", "trendDisplay": "off", "trendValue": 0, "unit": "minutes" }, "dataSources": { "primary": "mttaSearch" } } }, "layout": { "type": "grid", "options": { "display": "auto-scale", "height": 240, "width": 1440 }, "structure": [ { "item": "vizQueryCounterSearch1", "type": "block", "position": { "x": 0, "y": 80, "w": 288, "h": 220 } }, { "item": "episodesBySeverity", "type": "block", "position": { "x": 288, "y": 80, "w": 288, "h": 220 } }, { "item": "noiseReduction", "type": "block", "position": { "x": 576, "y": 80, "w": 288, "h": 220 } }, { "item": "percentAck", "type": "block", "position": { "x": 864, "y": 80, "w": 288, "h": 220 } }, { "item": "mtta", "type": "block", "position": { "x": 1152, "y": 80, "w": 288, "h": 220 } } ] } }

I really appreciate your help, have a great day 🙂

Re: Customize the Episode Review dashboard using a JSON-formatted dashboard definition

ITWhisperer — Thu, 26 Sep 2024 10:40:35 GMT

JSON dashboard definition is for Studio not Classic. What is your question here (or does that already answer it!)?

Re: Customize the Episode Review dashboard using a JSON-formatted dashboard definition

MaximilianoML — Thu, 26 Sep 2024 13:47:10 GMT

Hello, @ITWhisperer !

Yes, actually I'm editing the dashboard on https://itsi-*.splunkcloud.com/en-US/app/itsi/itsi_event_management? , and this is the view:

I'm looking for a way to make a simple query in the results, like this code snippet:

"dsQueryCounterSearch1": { "options": { "query": "| where AlertSource = AWS and AlertSeverity IN (6,5,4,3,1) | dedup Identifier | stats count as AWS", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" },

but doesn't return anything, any ideia how to refer the base search like the default querys?

P.S: This data:

Re: Customize the Episode Review dashboard using a JSON-formatted dashboard definition

ITWhisperer — Thu, 26 Sep 2024 14:51:21 GMT

Which search are you trying to extend - if it is "mttrSearch", you would do something like this

"dataSources": { "dsQueryCounterSearch1": { "options": { "extend": "mttrSearch", "query": "| where AlertSource = AWS and AlertSeverity IN (6,5,4,3,1) | dedup Identifier | stats count as AWS", "queryParameters": { "earliest": "$earliest_time$", "latest": "$latest_time$" } }, "type": "ds.search" },

Re: Customize the Episode Review dashboard using a JSON-formatted dashboard definition

MaximilianoML — Thu, 26 Sep 2024 15:00:34 GMT

This is the problem, I don't how this works... but I want to use the data that appears on the table in the bottom:

Re: Customize the Episode Review dashboard using a JSON-formatted dashboard definition

ITWhisperer — Thu, 26 Sep 2024 15:09:49 GMT

What is the data source for that table? The JSON you have shared does not appear to cover that

Re: Customize the Episode Review dashboard using a JSON-formatted dashboard definition

MaximilianoML — Fri, 27 Sep 2024 10:04:30 GMT

So, I didn't find how to use a base search, and then I just decided to proceed with a simple query as well in the Search Page.

P.S. The stuff between ` are Macros, you can check here: https://itsi-*.splunkcloud.com/en-GB/manager/itsi/data/macros , it's interesting things but is not helpful for me right now.

Thank you, friend!

Maximiliano Lopes