- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to build a simple dashboard using index and source ; and modify the search for various scenarios ,
I have an index ; I have a source
how can I list all fields in my source and index and make us of them with simple visualizations
please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before you make the dashboard, you need to play around and get comfortable with the search box.
Enter this...
index=foo | head 5
Since there are only 5 records, every field in any of them will appear in the "interesting fields" list to the left. (Being on one record is 20%, which makes it "interesting".) Look at the field names, and click on them to see what kind of values they hold.
You can also do this to get a list of the field names output from a search...
index=foo | head 10 | fieldsummary
That will give you a table displaying various information about non-internal fields. (Internal fields, those beginning with underscore, you don't want to mess with, with the possible exception of _time.)
Play with these commands first - eval, stats, eventstats, chart, timechart.
For every one of those commands but eval, play with these aggregation functions first - count(), sum(), avg(), min(), max(), first(), last(), earliest(), latest(), stdev()
Once you feel comfortable with what those all do, then come back and ask about visualizations.
Updated to use the more modern fieldsummary command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can go through Splunk search tutorial, following topic talks about creation of dashboards and next step.
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Createnewdashboard
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before you make the dashboard, you need to play around and get comfortable with the search box.
Enter this...
index=foo | head 5
Since there are only 5 records, every field in any of them will appear in the "interesting fields" list to the left. (Being on one record is 20%, which makes it "interesting".) Look at the field names, and click on them to see what kind of values they hold.
You can also do this to get a list of the field names output from a search...
index=foo | head 10 | fieldsummary
That will give you a table displaying various information about non-internal fields. (Internal fields, those beginning with underscore, you don't want to mess with, with the possible exception of _time.)
Play with these commands first - eval, stats, eventstats, chart, timechart.
For every one of those commands but eval, play with these aggregation functions first - count(), sum(), avg(), min(), max(), first(), last(), earliest(), latest(), stdev()
Once you feel comfortable with what those all do, then come back and ask about visualizations.
Updated to use the more modern fieldsummary command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much Sir , let me start exploring , the first command works , the second command the field value and fieldname should be selected as per the event and output generated in command one above right ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tkrprakash - no, I had an error in my aircode. I've updated the code to use the more modern fieldsummary, which is a much better resource for you at this point. Try it and you'll see what I mean.
