Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Automatic Simple XML Dashboard: Is it possible to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not a dashboard expert however, from a search I have the following setup:
| rex field=msg.Properties..FileName "(?[\w-]+\.apm)"
| eval EventName='msg.Properties..EventType'
| search Filename
| chart count over Filename by EventName
This gives me results like:
Filename Moved FileError Validated Sent ValidationError
1bc71199.apm 1 1 1 2 0
43bd3399.apm 1 1 1 2 1
Is it possible to change the 0s, 1s and 2s to other values? Like maybe a TimeStamp or Checkmark or basically something that isn't a number?
Also, maybe I shouldn't be using a CHART for summary (but my users like the data representation) but please tell me if I'm doing that wrong too! Are stats the better option? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ozman2112,
You can do both. If you want to replace the number by specific words you can use a conditionaleval expression and simply replace any occurrence of 0,1 or 2 with a specific word.
You can also replace them with checkmarks if needed using javascript. You can find some examples of that in this app here :
https://splunkbase.splunk.com/app/1603/
Also check this out for including icons within a table :
https://answers.splunk.com/answers/345025/simple-xml-dashboard-examples-how-to-add-a-new-ico.html
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ozman2112,
You can do both. If you want to replace the number by specific words you can use a conditionaleval expression and simply replace any occurrence of 0,1 or 2 with a specific word.
You can also replace them with checkmarks if needed using javascript. You can find some examples of that in this app here :
https://splunkbase.splunk.com/app/1603/
Also check this out for including icons within a table :
https://answers.splunk.com/answers/345025/simple-xml-dashboard-examples-how-to-add-a-new-ico.html
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, sounds simple enough:
| eval EventName='msg.Properties.EventType'
| search Filename
| chart count(eval(if(EventName="1", "one","is not one"))) over Filename by EventName
None of the "1"s in the chart were replaced. They remained the same. Is there an equality issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant an eval in a line right after the chart. Try something like this instead, it's easier :
... | replace 0 WITH iszero, 1 WITH isone,2 WITH istwo IN Moved
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace
And to apply it to all fields you can simply do this :
... | foreach * [|replace 0 WITH iszero, 1 WITH isone,2 WITH istwo IN <<FIELD>>]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...and thanks for replying on a Saturday! 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
