topic Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search? in Splunk Search

How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

agoktas — Tue, 29 Sep 2015 23:34:05 GMT

We have a search that comes back with the following raw log data in every few lines:

getUnitofWorkThread-1 incrementing totalRecordsProcessedCount to 85441

That number increments and I want to display the latest number with the search range (i.e.: If I have 20 values (number increments), I only need the latest/largest number).

How do I do this?

I'm open to any suggestions.

Should I shorten the range to the last 1 minute? Real-time searches cause unnecessary load on the search head, so I was hoping to do perhaps the last 5 minutes and perform the search every 5 minutes.

Additionally, I want to create a dial/gauge that shows x number of log entries (realtime search is ok in this case) for past x seconds/minutes. So any suggestions on how to create that would be appreciated.

The goal is to ensure that we don't have any delays in processing a job that will take about 48 hours. If there is a hang and the output to log slows down dramatically, or even stops, we want an alert. But first I wanted to get a handy dashboard going.

Thanks!

Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

somesoni2 — Wed, 30 Sep 2015 00:06:46 GMT

You can try like this to get the largest number. Shortening the timerange would help in query performance.

index=_internal sourcetype=splunkd | rex "(?<SomeNumber>\d+)$" | stats max(SomeNumber) as SomeNumber

Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

esix_splunk — Wed, 30 Sep 2015 00:20:04 GMT

Stats max is great way.. You could also Sort, and head?

index=_internal sourcetype=splunkd | rex "(?<SomeNumber>\d+)$" | sort - SomeNumber | head 1

Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

muebel — Wed, 30 Sep 2015 01:36:13 GMT

As pointed out in other comments/answers, using stats with the max function, or sorting descending with a head of 1 on the extracted field would give you the largest number for a given timerange.

For the count of total events within a window, you could do something like:

sourcetype=processing_job | stats count as "Total Events"

for some given realtime window

Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

agoktas — Wed, 30 Sep 2015 18:02:17 GMT

Thanks for that info! 🙂

I was hoping to add this to a Radial Gauge, but default is 100.

We expect about 5,000 log entries/lines per hour and I am curious how we can change the Radial Gauge threshold/value.

Also, how can we revert the direction? I.e.: 5,000 entries is in the green and 0 would be red.

Thanks.

Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

agoktas — Wed, 30 Sep 2015 18:04:03 GMT

Thanks for the answer. That worked perfectly!

One last question,

How would I change the color of the value's font when I have this in a dashboard as a "Single Value" within the panel?

Currently is default bold + black font.

Thanks!

Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

somesoni2 — Wed, 30 Sep 2015 19:03:03 GMT

Have a look at the Dashboard example app
https://splunkbase.splunk.com/app/1603/

There are examples for Single Value Elements which can help you get these kind of customizations.

Re: How to get largest numeric (using regex) value displayed on a dashboard from a particular search?

agoktas — Thu, 01 Oct 2015 17:33:09 GMT

http://answers.splunk.com/answers/314836/how-to-adjust-radial-gauge-numeric-range-within-a.html?minQuestionBodyLength=80