topic Re: adding columns to dashboard queries in Dashboards & Visualizations

adding columns to dashboard queries

drabbit — Thu, 16 Sep 2021 15:13:16 GMT

Hi,

I'm trying to make a dashboard element that shows when one of our applications is restarted. So I have a query that searches for "Starting Application". When I put this on my dashboard, I see the columns "i", timestamp, event. How can I add column that shows the kubernetes_container_name? And how can I change column width and trim the original text so I get no line breaks?

thanks for your help

Re: adding columns to dashboard queries

richgalloway — Thu, 16 Sep 2021 17:24:04 GMT

It would help if you shared the query the dashboard uses.

The table command specifies the columns the dashboard should display. If it includes "Starting Application" then that column will be present even if the search does not find it.

Re: adding columns to dashboard queries

drabbit — Fri, 17 Sep 2021 11:45:52 GMT

sorry, I thought I had posted it. The query looks like this:

"Starting Application" kubernetes_cluster="prod-cluster"

and I don't understand what you are referring to as "that column" in your answer. I want the kubernetes_container_name field as a column.

Re: adding columns to dashboard queries

drabbit — Fri, 17 Sep 2021 11:53:18 GMT

in an attempt to be a bit clearer about what I'm looking for. I'm looking for something like this:

| time | kubernetes_container_name | log message |

| 2021-09-11 21:05:15.590 | contract-mgmt | 2021-09-11 21:05:15.590 INFO 7 --- [ main] c.e.h.base.Application : Starting Application v2.3.0 using Java 11.0.10 |

| 2021-09-10 20:05:15.590 | base-data-mgmt | 2021-09-10 20:05:15.590 INFO 7 --- [ main] c.e.h.contract.Application : Starting Application v1.4.0 using Java 11.0.10 |

Re: adding columns to dashboard queries

richgalloway — Fri, 17 Sep 2021 13:08:25 GMT

So I misread your OP, but the general theme still applies. Use the table command to tell Splunk which columns to display in a table. In this case,

index=foo ```Always specify an index``` "Starting Application" kubernetes_cluster="prod-cluster" | table time kubernetes_container_name log message

Re: adding columns to dashboard queries

drabbit — Mon, 20 Sep 2021 08:33:23 GMT

thanks, I got a step further.

When I use the search as you described, I can now see the kubernetes_container_name as a column, but the columns time, log and message are empty. How can I fix that?

Re: adding columns to dashboard queries

richgalloway — Mon, 20 Sep 2021 12:40:48 GMT

The example query expects the fields to be present in the index, but I don't know the contents of your index so the field names may not be exactly right. Adjust the query to match your index or add eval statements as needed to calculate the desired fields.

Re: adding columns to dashboard queries

drabbit — Mon, 20 Sep 2021 12:47:34 GMT

I guess we're already off-topic here. I have absolutley no clue what an index is and how I can find out which fields are in the index. I guess I'll have to study the query stuff more.

Re: adding columns to dashboard queries

richgalloway — Mon, 20 Sep 2021 12:58:27 GMT

https://www.splunk.com/en_us/training/courses/intro-to-splunk.html

https://www.splunk.com/en_us/training/courses/using-fields.html