topic Re: Overview Dashboard Summarize Errors in Splunk Search

Overview Dashboard Summarize Errors

mclog — Fri, 31 May 2024 13:48:59 GMT

Hello,

I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview Dashboard" traffic light indication style.

If one error would be shown in a detailed dashboard, I woud like to have the traffic light at the overview dashboard turn red with the option to have the drilldown link to the ´detailed dasboard where the error was found.

Any good ideas how one would build something like that? I've one solution, but it seems to be complicated. I would leverage scheduled searches which write into different lookups.
The overview dashboard could read from those lookups and search for error codes.

Re: Overview Dashboard Summarize Errors

deepakc — Fri, 31 May 2024 14:29:56 GMT

It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light.

So, at a high level - define what those KPI's, metrics, or Log_levels might look like and create your search’s

Simple example

Summary Dashboard for my LOG_LEVELS

ERROR_MESSAGES = index=_internal log_level=ERROR NOT debug source=*splunkd.log* | timechart count WARNING_MESSAGES = index=_internal log_level=WARN NOT debug source=*splunkd.log* | timechart count INFO_MESSAGES = index=_internal log_level=INFO NOT debug source=*splunkd.log* | timechart count

Based on the above example log counts, you could use the Single Value Element with a trend indicator/colour and use the timechart command count for various values you want to see and have a link to your detailed dashboards.

Have a look here first and see if this is what you might want to do

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/DashStudio/chartsSV

You can also download the old Splunk dashboard examples app, this also shows you how can do this for the single value element and many other examples.

https://splunkbase.splunk.com/app/1603

Re: Overview Dashboard Summarize Errors

mclog — Tue, 04 Jun 2024 09:06:14 GMT

Thank you for your answer deepakc,

but that is not correct. I do not want to have a simple KPI Dashboard.

Each detailed (sub) dashboard, has custom query's which I don't want to run automatically twice, once in the detailed board and once on the summary board.

Maybe an simple example makes my question more clear:

App1-Dashboard:
- 10 different custom query's which will show 10 different traffic light style of indication
App2-Dashboard:
- 50 different custom query's which will show 50 different traffic light style of indication
App3-Dashboard:
- 15 different custom query's which will show 15 different traffic light style of indication

The logs are not simply evaluated based on log-level, rather based on specific string combinations.

Instead of looking to each of my three dashboards one by one, I would like to have a "Summary Dashboard" which only includes three traffic lights. One for each mentioned app above. If e.g. App2-Dashboard has one of 50 traffic light warnings, I would like to see the traffic light of App2 in my "Summary Dashboard" indicate yellow or red to make sure I'm aware of any problem in App2.

I do not want to have all custom query's run in the Summary Dashboard and on each App Dashboard.