topic Re: How to create a single value panel that changes based on weighted values? in Splunk Search

How to create a single value panel that changes based on weighted values?

JoshuaJohn — Wed, 14 Sep 2016 19:44:20 GMT

I want to create a single value panel that starts at 100, and when a specific alert goes off with an assigned weight, that weight is removed from the single value panel. So alert with a weight of 25 fires, the single value panel is now at 75 which is yellow.

Greater than 80 is green
50-80 is yellow
below 50 is red

I have this search:

index="nitro_prod_summary" earliest=-1h@m latest=@m [| `nitro_prod_cmdb` | search Category="ECOMM CUSTOMER FACING"  OR Category="ECOMM OPERATIONS" Service="*" Application="*" weight="*"| stats count by Application | table Application] | join Application [ | `nitro_prod_cmdb` ] | search Alert_Type="*" Metric_Category="*" | eval FilterKey=Description.ID | dedup FilterKey | table Alert_Type Category Service Application Metric_Category Description Key ID| rename Metric_Category as "Type" Alert_Type as "Alert" count as Count | sort +Alert

Which creates a table like this:

I want to create this single panel for "webstore" so I want to filter from the search above only Application="WebStore Services" then add the weights from all of the instances and subtract it from 100, if this number is greater than 80 it is green, 50-80 is yellow and below 50 is red. It should also still say webstore and the color should be responding to that number.

I did not put weight into the table but it is being pulled from the alerts just not being placed anywhere.

Any ideas on making this single value panel?
Few extra points for this loaded question!

Re: How to create a single value panel that changes based on weighted values?

sundareshr — Wed, 14 Sep 2016 20:02:09 GMT

See if this gets you going in the right direction

 index="nitro_prod_summary" earliest=-1h@m latest=@m [| `nitro_prod_cmdb` | search Category="ECOMM CUSTOMER FACING"  OR Category="ECOMM OPERATIONS" Service="*" Application="*" weight="*"| stats count by Application | table Application] | join Application [ | `nitro_prod_cmdb` ] | search Alert_Type="*" Metric_Category="*" | eval FilterKey=Description.ID | dedup FilterKey | table Alert_Type Category Service Application Metric_Category Description Key ID weights | rename Metric_Category as "Type" Alert_Type as "Alert" count as Count | sort +Alert where match(Application, "([Ww]eb[Ss]tore)" | stats sum(weights) as weight | eval weight=100-weight | rangemap field=weight low=100-80 elevated=50-79 default=severe

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Wed, 14 Sep 2016 20:17:16 GMT

Not quite, nothing is showing up here. I would need this to work if there were no active alerts as well, but right now there are but it isn't producing anything.

Re: How to create a single value panel that changes based on weighted values?

sundareshr — Wed, 14 Sep 2016 20:18:54 GMT

Did you add the weights field to the table?

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Wed, 14 Sep 2016 20:36:52 GMT

I did but to no avail

Re: How to create a single value panel that changes based on weighted values?

sundareshr — Wed, 14 Sep 2016 20:45:23 GMT

Try the updated query

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Thu, 15 Sep 2016 14:00:32 GMT

Hmm still not working, here is an example of my alerts hopefully this can help

[nitro_prod_stores__500_alert]
action.email.inline = 1
action.summary_index = 1
action.summary_index._name = nitro_prod_summary
alert.expires = 10s
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 03 * * * *
description = Webstore crosses 500
enableSched = 1
realtime_schedule = 0
search = index=nitro_webstore  "500" NOT("*.500" OR "200") earliest=-80m@m latest=-20m@m | stats count | where count>74 |**eval weight = 50** |eval Metric_Category="Application" | eval Metric="Health" | eval Metric_Type="Status" | eval Application="Webstore Services" | eval Key="Count" | eval Frequency="60 minutes" | eval ID="NA" | eval Description="Webstore crosses 500" | eval Value=coalesce(NA,count) | eval Alert_Type="low" | eval Alert="Yes" | eval Service-Now_Assignment_Group="EC-IScore" | eval Violation="1" | eval _time=now() | table _time Metric_Category Metric Metric_Type Application Key ID Description Frequency Value Alert_Type Alert Service-Now_Assignment_Group Violation Search_name

Re: How to create a single value panel that changes based on weighted values?

sundareshr — Thu, 15 Sep 2016 17:00:05 GMT

What do you get when you keep only the where segement and remove everything else? Can you copy the list of fields you see?

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Thu, 15 Sep 2016 18:13:22 GMT

"count
112"

Re: How to create a single value panel that changes based on weighted values?

sundareshr — Thu, 15 Sep 2016 18:30:57 GMT

My bad. I meant keep the where and remove everything else from the query I posted. Not the alert query.

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Thu, 15 Sep 2016 18:45:39 GMT

So I tried that and I got no results but when I removed the weight category I received the original table again as shown in the first post

Re: How to create a single value panel that changes based on weighted values?

sundareshr — Thu, 15 Sep 2016 19:31:41 GMT

Good. So where does the Weight come from? Is it a field in the main search? or one of the sub-searches? That field is needed for the query to execute

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Thu, 15 Sep 2016 20:23:08 GMT

Makes sense, my bad. I will get all of this set up correctly, and get back here.

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Thu, 15 Sep 2016 20:52:33 GMT

Can I append weight to the main search? It is in the alerts

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Mon, 19 Sep 2016 15:24:25 GMT

Ok so made some edits, sorry for the delay. The search now works but I need it to still display when there are no alerts coming in, any suggestions for that? Right now it will just say "no results"

Re: How to create a single value panel that changes based on weighted values?

JoshuaJohn — Mon, 19 Sep 2016 18:12:11 GMT

Sorry for the late reply, I got the search working but now I need it to return green even when the search provides no results because no alerts are firing currently? Any suggestions?