topic Re: range status in Splunk Search

range status

kris99 — Sat, 13 Sep 2014 19:50:30 GMT

how do i use range to display green tick or red cross for the following

index=xx sourcetype="yyy" State!="On"

If 'State' not equal to 'On' display red cross else green tick. I want it to take the latest event to check.

Thanks in advance for your help

Re: range status

datasearchninja — Sat, 13 Sep 2014 20:26:59 GMT

You could:

get the latest value using the first() option to stats
use eval and if to set a numeric value for State whether it is on and off
use rangemap and some custom css to set the icon

index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
You will need some custom css to add the icon to the dashboard. Checkout the Splunk 6 Dashboard examples app: https://apps.splunk.com/app/1603/ and the "Single Value Decorations" example.

Dashboard Panel:

index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
-15m
now
range
State
icon-only

This will show a green "On", or a red value of "State" until the css is set, when you will get the icons.

Re: range status

kris99 — Mon, 15 Sep 2014 05:56:04 GMT

ok thnks.. but how do i use eval

Re: range status

datasearchninja — Mon, 15 Sep 2014 07:08:11 GMT

I've edited my original answer with some more detail.

Re: range status

kris99 — Wed, 17 Sep 2014 06:25:44 GMT

how can i rename the wording. . If state = On, Show as "Up" else show "Down"

Re: range status

datasearchninja — Wed, 17 Sep 2014 07:33:46 GMT

Just use eval to create the field you need, or to rename the State field:

So change:

index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1

To something like:

index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | eval State = if (State=="On", "Up", "Down") | rangemap field=StateBool low=0-0 severe=1-1

Re: range status

kris99 — Mon, 29 Sep 2014 05:36:12 GMT

Based on the above search, how do I join below two searches and return the following within same SingleValue

If "ConnectionStatus" is "On" and "Events" is "0" , display "No Errors" with low range
If "ConnectionStatus" is "On" and "Events" is greater than "0" , display "Warning" with elevated range
If "ConnectionStatus" is NOT "On" and "Events" is greater than "0" , display "Error" with severe range

Re: range status

kris99 — Mon, 28 Sep 2020 17:44:32 GMT

tried using the same technique to join multiple searches but getting an error.

What am i doing wrong ?

index=xx sourcetype="ConnectionStatus" State!="On" | stats count(State) as down_count | appendcols [search index=yy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") |stats count | rename count as evt_count] | eval StateBool = if(down_count==0 AND evt_count==0, 0, down_count==0 AND evt_count >0, 1, down_count>0 AND evt_count>0, 2) | eval Status = if(down_count==0 AND evt_count==0,"Ok", down_count==0 AND evt_count>0,"Warning", down_count>0 AND evt_count>0,"Error")| rangemap field=StateBool low=0-0 elevated=1-1 severe=2-2 | table Status range