All Apps and Add-ons

Sideview multiplexer - rangemap

renems
Communicator

Thanks to the sideview utils, i could create a dynamic overview of hosts per index, creating single values for each host entry. Thereby, I fill each entry with some specifics about that host. What would make it really gorgeous, is when I could use the rangemap command, and light up those hosts that don't have a process running. Somehow, that doesn't seem to work. Any idea's/suggestions?


index="demo-lab" sourcetype=facter | dedup host| rex field=application "(?i)=demo-(?P<customer>[^,]+)" | table host, customer, memorysize, processorcount | eval test="1" | rangemap field=test low=0-300 default=severe
range
test
-60m
now

<module name="Multiplexer">
  <param name="fields">host,customer,memorysize,processorcount</param>
  <module name="HTML">
    <param name="html"><![CDATA[
       <div class="valueDisplay">
          <div class="inner">$host$</div>
          <div class="inner2">customer: $customer$</div>
          <div class="inner2">mem:$memorysize$</div>
          <div class="inner2">cpu: $processorcount$</div>
       </div>
    ]]></param>
  </module>
</module>

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

You certainly can do this. What you do is you add the rangemap's command's "range" field to the list of multiplexed fields, and after that the $range$ token can be used in the HTML module, in particular inside the class attribute of the <div class="inner"> element.

Here is a standaline example that will work anywhere because it uses the _internal data.

<module name="Search" layoutPanel="panel_row3_col1" autoRun="True">
  <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | stats sum(kb) as KB by series | rename series as sourcetype | rangemap field=KB low=0-100 guarded=100-1000 elevated=1000-10000 high=10000-100000 severe=100000-100000000000000</param>
  <param name="earliest">-15m</param>
  <param name="latest">now</param>

  <module name="JobProgressIndicator" />

  <module name="Multiplexer">
    <param name="fields">sourcetype,totalKB,range</param>
    <module name="HTML">
      <param name="html"><![CDATA[
        <div class="valueDisplay">
          <div class="inner $range$">sourcetype <b>$sourcetype$</b> ($totalKB$ KB indexed)</div>
        </div>
      ]]></param>
    </module>
  </module>
</module>

Extra Credit:

The specifics of the div tags and the "inner" class and all that relies on the fact that Sideview Utils carries along with it some basic CSS rules that mirror Splunk's rules for the SingleValue module and the "single" elements in Simple XML. Specifically I'm talking about the low/guarded/elevated/high/severe classname conventions and the associated background colors from Splunk core. If you ever want to study the exact CSS rules that are involved here, they are centralized in that SideviewUtils module that is required on every page:

$SPLUNK_HOME/etc/apps/sideview_utils/appserver/modules/SideviewUtils/SideviewUtils.css

If you want to change the colors or the names you can create your own set of CSS rules within your own app and then use those classnames in rangemap etc.

By the way I'll add the above example to the Multiplexer documentation in the next release.

Even More Extra Credit:

If you ever want to have your little colored HTML divs link to another view for drilldown detail, you can use the HTML module for this, and in fact there's a page under "HTML module" in the docs that will tell you how. But it's a bit better to get used to the Link module instead. Used in combination with the Redirector module the Link module makes little drilldown links very simple and you can multiplex a Link+Redirector block just as easily as multiplexing an HTML module.

View solution in original post

sideview
SplunkTrust
SplunkTrust

You certainly can do this. What you do is you add the rangemap's command's "range" field to the list of multiplexed fields, and after that the $range$ token can be used in the HTML module, in particular inside the class attribute of the <div class="inner"> element.

Here is a standaline example that will work anywhere because it uses the _internal data.

<module name="Search" layoutPanel="panel_row3_col1" autoRun="True">
  <param name="search">index=_internal source=*metrics.log group=per_sourcetype_thruput | stats sum(kb) as KB by series | rename series as sourcetype | rangemap field=KB low=0-100 guarded=100-1000 elevated=1000-10000 high=10000-100000 severe=100000-100000000000000</param>
  <param name="earliest">-15m</param>
  <param name="latest">now</param>

  <module name="JobProgressIndicator" />

  <module name="Multiplexer">
    <param name="fields">sourcetype,totalKB,range</param>
    <module name="HTML">
      <param name="html"><![CDATA[
        <div class="valueDisplay">
          <div class="inner $range$">sourcetype <b>$sourcetype$</b> ($totalKB$ KB indexed)</div>
        </div>
      ]]></param>
    </module>
  </module>
</module>

Extra Credit:

The specifics of the div tags and the "inner" class and all that relies on the fact that Sideview Utils carries along with it some basic CSS rules that mirror Splunk's rules for the SingleValue module and the "single" elements in Simple XML. Specifically I'm talking about the low/guarded/elevated/high/severe classname conventions and the associated background colors from Splunk core. If you ever want to study the exact CSS rules that are involved here, they are centralized in that SideviewUtils module that is required on every page:

$SPLUNK_HOME/etc/apps/sideview_utils/appserver/modules/SideviewUtils/SideviewUtils.css

If you want to change the colors or the names you can create your own set of CSS rules within your own app and then use those classnames in rangemap etc.

By the way I'll add the above example to the Multiplexer documentation in the next release.

Even More Extra Credit:

If you ever want to have your little colored HTML divs link to another view for drilldown detail, you can use the HTML module for this, and in fact there's a page under "HTML module" in the docs that will tell you how. But it's a bit better to get used to the Link module instead. Used in combination with the Redirector module the Link module makes little drilldown links very simple and you can multiplex a Link+Redirector block just as easily as multiplexing an HTML module.

sideview
SplunkTrust
SplunkTrust

Sideview Utils 3.2.9 released today and I added this as another working example on the Multiplexer docs page. (the docs and examples are as always within the Sideview Utils app itself)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...