Dashboards & Visualizations

Change Main dashboard Colour based on the state of drill down dashboards

njohnson7
Path Finder

I have a main dashboard(parent) which drill downs into different dashboards(child) showing different values. The values shown in the child dashboards would change according to the range set for them and hence would be Green , Amber or Red at any particular point of time.

How could i get it reflected to my parent dashboard? For example, say 3 of my child dashboards are Green, I also want my parent dashboard to be green. If 1/3 of the child dashboards are Red, I also want my parent dashboard to be Red and likewise.

A (Parent Dashboard)

1 , 2, 3 are Child dashboards which gets drill down from A.

So if 1 , 2 and 3 are Green , A should also be green.
If any of 1, 2 or 3 is Red, A should also be Red and likewise.

0 Karma

niketn
Legend

@njohnson7 what is the query that can be used to identify whether a particular child dashboard is Green or Red?

Can a scheduled search run for all child dashboards giving you overall status a Green or Red? Then you can just use loadjob to get the result of last run and use the search event handler to set the token for your parent dashboard as Green or Red.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

njohnson7
Path Finder

Hi @niketnilay , so for all the child dashboards, I need to have different panels which would give count or relevant details but even in the same child dashboard, the data for different panels come either from same indexes and different sourcetypes in them or different indexes and different sourcetypes in them. Maybe I can evaluate a field to set a threshold count < 10 --> Green , count > 20 Red etc for each panels to determine the state of each panel.
But I also need to set this parent -child dashboard set up for more than 10 systems (system=S1).
Like the parent dashboard will just be having different panels for different systems, for example system S1 and S1 panel would be Green if all the panels related to S1 are green and same for S2 and so on..
So if I have to schedule a saved search, I need to set up a lot of saved searches right ?

Sample queries --
For Panel 1 -->
index= index1
| search sourcetype="source1"
| search system=S1
| dedup logtime error client userid wp
| table logtime client userid status error
| stats count

For Panel 2 -->
index=index1 sourcetype="source2"
| search system=S1
| search status = "first"
| dedup rowno server logtime status
| stats count

For Panel 3 -->

index=index2 sourcetype="source 3" direction=outbound status="red" system=S1
| dedup inumber
| where statusnumber IN ("02","04","05","07")
| stats count

0 Karma

njohnson7
Path Finder

Hi @nickhillscpl , thanks for the lookup file idea but I was hoping that I would just display A(system)

as a panel in the parent dashboard and on click, use that as a token for the drill down dashboards because I would need to build the same setup for 10+ systems. So since these are not saved searches but realtime is there any other approach ?

0 Karma

nickhills
Ultra Champion

Assuming your child dashboards are running scheduled searches, I would be tempted to have them output an overall status to a lookup file with append=t to write a value which summarises the status like eval dashboard="child_dashboard_one", status=1

Your lookup file would then look like:

dashboard,status
child_dashboard_one,1
child_dashboard_two,1
child_dashboard_three,2

You can then read the lookup on the parent dashboard. The advantage of using numbers to represent the status is you can quickly calculate an average status value. if sum(status) =3 you know everything is ok 4-5 maybe a warning, 5+ is serious!

The other benefit (other that the obvious speed advantage over a huge combining search) is you can easily add single value panels to the parent, and use the numeric status to change the colour of just the child dashboard which has the problem giving you an indication of which child dashboard has triggered the change.

Thats a very high level explanation, but let me know if not clear.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...