Dashboards & Visualizations

Dashboard Help

Contributor

i want to make a dashboard from the below search result but i am having a hard time .i am using single value dashboard but when i select visualization the data it shows is cropped and not showing all the drives.can you help me with that?alt text.Thanks for all the help

index="main" host="hc1aptr3sv" Name="C:" OR Name="D:" FreeSpace | eval FreeSpace_in_GB = round((FreeSpace/1024/1024/1024), 2)|eval Size_in_GB = round((Size/1024/1024/1024),2)|table host,Name,Size_in_GB,FreeSpace_in_GB| dedup Name

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@carlyleadmin using perfmon (Performance Monitoring) you can directly get % Free Space counter from Windows machine. Please check out the details. There could be numerous ways to represent performance KPIs. Similar to Radial Gauge you can also use Marker gauge, Filler Gauge. There is also a Water Gauge Custom Visualization on Splunkbase.

I like Status Indicator Custom Visualization which gives you metrics + icon + color to depict data. Post Splunk Enterprise 6.6, combined with Trellis this has really amazing applications. Based on the information provided, I have built a mock dashboard to demo the same.

alt text
alt text
Please find the run anywhere Simple XML dashboard for the same:

<form>
  <label>Single Value Trellis</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Status Indicator - Trellis</title>
      <input type="dropdown" token="tokFreeDiscResults" searchWhenChanged="true">
        <label>Show Least % Free Disc</label>
        <choice value="all">All</choice>
        <choice value="top10">Top 10</choice>
        <choice value="top5">Top 5</choice>
        <default>top10</default>
        <change>
          <condition value="all">
            <set token="tokTopResults"></set>
            <set token="statusIndicatorHeight">450</set>
          </condition>
          <condition value="top10">
            <set token="tokTopResults">| head 10</set>
            <set token="statusIndicatorHeight">300</set>
          </condition>
          <condition value="top5">
            <set token="tokTopResults">| head 5</set>
            <set token="statusIndicatorHeight">180</set>
          </condition>
        </change>
      </input>
      <viz type="status_indicator_app.status_indicator">
        <search base="hostDetailsBaseSearch">
          <query>| eval host=host."-".Name 
| stats last(FreeSpace_Perc) as FreeSpace_Perc last(icon) as icon last(color) as color by host
| eval FreeSpace_Perc=FreeSpace_Perc." %"</query>
        </search>
        <!-- Adjust "height" depending on how many Trellis splits you can have -->
        <option name="height">$statusIndicatorHeight$</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">host</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Tabular Details</title>
      <table>
        <search id="hostDetailsBaseSearch">
          <query>| makeresults 
| eval host="hc1aptr1sv",Name="C:", FreeSpace_in_GB=round(15654023465943/1024/1024/1024,2), Size_in_GB = round((66219989979211/1024/1024/1024),2) 
| append 
    [| makeresults 
    | eval host="hc1aptr1sv",Name="D:", FreeSpace_in_GB=round(87840234659/1024/1024/1024,2), Size_in_GB = round((4619989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr1sv",Name="E:", FreeSpace_in_GB=round(44023465942/1024/1024/1024,2), Size_in_GB = round((119989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr2sv",Name="C:", FreeSpace_in_GB=round(2299440234659/1024/1024/1024,2), Size_in_GB = round((5739989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr2sv",Name="D:", FreeSpace_in_GB=round(12023465942/1024/1024/1024,2), Size_in_GB = round((329989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr3sv",Name="C:", FreeSpace_in_GB=round(32140234659/1024/1024/1024,2), Size_in_GB = round((2319989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr4sv",Name="C:", FreeSpace_in_GB=round(54323465942/1024/1024/1024,2), Size_in_GB = round((987989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr4sv",Name="D:", FreeSpace_in_GB=round(8769440234659/1024/1024/1024,2), Size_in_GB = round((8799989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr4sv",Name="E:", FreeSpace_in_GB=round(66723465942/1024/1024/1024,2), Size_in_GB = round((443989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr5sv",Name="C:", FreeSpace_in_GB=round(67840234659/1024/1024/1024,2), Size_in_GB = round((9879989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr6sv",Name="C:", FreeSpace_in_GB=round(64523465942/1024/1024/1024,2), Size_in_GB = round((210989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr7sv",Name="C:", FreeSpace_in_GB=round(8579440234659/1024/1024/1024,2), Size_in_GB = round((5199989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr7sv",Name="D:", FreeSpace_in_GB=round(32123465942/1024/1024/1024,2), Size_in_GB = round((645989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr7sv",Name="E:", FreeSpace_in_GB=round(65840234659/1024/1024/1024,2), Size_in_GB = round((4319989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr8sv",Name="C:", FreeSpace_in_GB=round(33023465942/1024/1024/1024,2), Size_in_GB = round((229989979211/1024/1024/1024),2) ] 
| eval FreeSpace_Perc=round((FreeSpace_in_GB/Size_in_GB)*100,1)
| sort FreeSpace_Perc $tokTopResults$
| eval icon=case(FreeSpace_Perc>=30,"check-circle",FreeSpace_Perc>=10 AND FreeSpace_Perc<30,"info-circle",true(),"times-circle") 
| eval color=case(FreeSpace_Perc>=30,"#00FF00",FreeSpace_Perc>=10 AND FreeSpace_Perc<30,"#F7BC38",true(),"#ff0000")
| stats last(FreeSpace_Perc) as FreeSpace_Perc last(icon) as icon last(color) as color by host Name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <format type="color" field="FreeSpace_Perc">
          <colorPalette type="list">[#D93F3C,#FCD825,#65A637]</colorPalette>
          <scale type="threshold">15,30</scale>
        </format>
        <format type="number" field="FreeSpace_Perc">
          <option name="unit">%</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="Name">
          <colorPalette type="map">{"C:":#6DB7C6,"D:":#13EFA2,"E:":#E3B0FC}</colorPalette>
        </format>
        <fields>["host","Name","FreeSpace_Perc"]</fields>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm.
PS: On similar line as above. You can depict multiple KPI metrics for the single host instead of multiple hosts with single KPI. This would be better use case

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@carlyleadmin using perfmon (Performance Monitoring) you can directly get % Free Space counter from Windows machine. Please check out the details. There could be numerous ways to represent performance KPIs. Similar to Radial Gauge you can also use Marker gauge, Filler Gauge. There is also a Water Gauge Custom Visualization on Splunkbase.

I like Status Indicator Custom Visualization which gives you metrics + icon + color to depict data. Post Splunk Enterprise 6.6, combined with Trellis this has really amazing applications. Based on the information provided, I have built a mock dashboard to demo the same.

alt text
alt text
Please find the run anywhere Simple XML dashboard for the same:

<form>
  <label>Single Value Trellis</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <title>Status Indicator - Trellis</title>
      <input type="dropdown" token="tokFreeDiscResults" searchWhenChanged="true">
        <label>Show Least % Free Disc</label>
        <choice value="all">All</choice>
        <choice value="top10">Top 10</choice>
        <choice value="top5">Top 5</choice>
        <default>top10</default>
        <change>
          <condition value="all">
            <set token="tokTopResults"></set>
            <set token="statusIndicatorHeight">450</set>
          </condition>
          <condition value="top10">
            <set token="tokTopResults">| head 10</set>
            <set token="statusIndicatorHeight">300</set>
          </condition>
          <condition value="top5">
            <set token="tokTopResults">| head 5</set>
            <set token="statusIndicatorHeight">180</set>
          </condition>
        </change>
      </input>
      <viz type="status_indicator_app.status_indicator">
        <search base="hostDetailsBaseSearch">
          <query>| eval host=host."-".Name 
| stats last(FreeSpace_Perc) as FreeSpace_Perc last(icon) as icon last(color) as color by host
| eval FreeSpace_Perc=FreeSpace_Perc." %"</query>
        </search>
        <!-- Adjust "height" depending on how many Trellis splits you can have -->
        <option name="height">$statusIndicatorHeight$</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">host</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Tabular Details</title>
      <table>
        <search id="hostDetailsBaseSearch">
          <query>| makeresults 
| eval host="hc1aptr1sv",Name="C:", FreeSpace_in_GB=round(15654023465943/1024/1024/1024,2), Size_in_GB = round((66219989979211/1024/1024/1024),2) 
| append 
    [| makeresults 
    | eval host="hc1aptr1sv",Name="D:", FreeSpace_in_GB=round(87840234659/1024/1024/1024,2), Size_in_GB = round((4619989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr1sv",Name="E:", FreeSpace_in_GB=round(44023465942/1024/1024/1024,2), Size_in_GB = round((119989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr2sv",Name="C:", FreeSpace_in_GB=round(2299440234659/1024/1024/1024,2), Size_in_GB = round((5739989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr2sv",Name="D:", FreeSpace_in_GB=round(12023465942/1024/1024/1024,2), Size_in_GB = round((329989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr3sv",Name="C:", FreeSpace_in_GB=round(32140234659/1024/1024/1024,2), Size_in_GB = round((2319989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr4sv",Name="C:", FreeSpace_in_GB=round(54323465942/1024/1024/1024,2), Size_in_GB = round((987989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr4sv",Name="D:", FreeSpace_in_GB=round(8769440234659/1024/1024/1024,2), Size_in_GB = round((8799989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr4sv",Name="E:", FreeSpace_in_GB=round(66723465942/1024/1024/1024,2), Size_in_GB = round((443989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr5sv",Name="C:", FreeSpace_in_GB=round(67840234659/1024/1024/1024,2), Size_in_GB = round((9879989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr6sv",Name="C:", FreeSpace_in_GB=round(64523465942/1024/1024/1024,2), Size_in_GB = round((210989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr7sv",Name="C:", FreeSpace_in_GB=round(8579440234659/1024/1024/1024,2), Size_in_GB = round((5199989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr7sv",Name="D:", FreeSpace_in_GB=round(32123465942/1024/1024/1024,2), Size_in_GB = round((645989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr7sv",Name="E:", FreeSpace_in_GB=round(65840234659/1024/1024/1024,2), Size_in_GB = round((4319989979211/1024/1024/1024),2) ] 
| append 
    [| makeresults 
    | eval host="hc1aptr8sv",Name="C:", FreeSpace_in_GB=round(33023465942/1024/1024/1024,2), Size_in_GB = round((229989979211/1024/1024/1024),2) ] 
| eval FreeSpace_Perc=round((FreeSpace_in_GB/Size_in_GB)*100,1)
| sort FreeSpace_Perc $tokTopResults$
| eval icon=case(FreeSpace_Perc>=30,"check-circle",FreeSpace_Perc>=10 AND FreeSpace_Perc<30,"info-circle",true(),"times-circle") 
| eval color=case(FreeSpace_Perc>=30,"#00FF00",FreeSpace_Perc>=10 AND FreeSpace_Perc<30,"#F7BC38",true(),"#ff0000")
| stats last(FreeSpace_Perc) as FreeSpace_Perc last(icon) as icon last(color) as color by host Name</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <format type="color" field="FreeSpace_Perc">
          <colorPalette type="list">[#D93F3C,#FCD825,#65A637]</colorPalette>
          <scale type="threshold">15,30</scale>
        </format>
        <format type="number" field="FreeSpace_Perc">
          <option name="unit">%</option>
          <option name="useThousandSeparators">false</option>
        </format>
        <format type="color" field="host">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="Name">
          <colorPalette type="map">{"C:":#6DB7C6,"D:":#13EFA2,"E:":#E3B0FC}</colorPalette>
        </format>
        <fields>["host","Name","FreeSpace_Perc"]</fields>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm.
PS: On similar line as above. You can depict multiple KPI metrics for the single host instead of multiple hosts with single KPI. This would be better use case

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Contributor

Thanks niketnilay.i will give this a try

0 Karma

Contributor

Hey Mayur,

this does not work for me.i don't want the sum of freespace and total size.i just want the current size and freespace.i am using WMI to get the physical disk drive info every 5 minutes and from there i did create a notifications if we have low disk space,on top of that i wanted to have a visual of the drives where people can go to drop down and pick anytime and get the historical data on drives.i used gauge(attached picture) but upper management wanted table or grid that shows freespace along with size on that disk at the same time.i guess it is not possible to do what i want.alt text

Thanks for taking the time to respond

0 Karma

SplunkTrust
SplunkTrust

@carlyleadmin, I tried the following run anywhere search to mimic your issue however, for me the first Single Value also appeared at correct place. Based on your screenshot seems like you are using Trellis.
1) Have you tried various sizes of Trellis like small medium and large to see whether you get desired output or not?
2) Have you tried saving the search as Dashboard.

| makeresults
| eval host="hc1aptr3sv",Name="C:", FreeSpace_in_GB=round(4023465/1024/1024/1024,2), Size_in_GB = round((9989979/1024/1024/1024),2) 
| table host,Name,Size_in_GB,FreeSpace_in_GB 
| dedup Name

PS: I tested in Splunk 7.0.1 and it worked fine. If still you are facing issues you can use CSS override to resize, re-position the first single value. Let me know if that is required.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Contributor

Hey Niketnilay,

i am using Trellis and changing the size wont help.i will try to get it to work.i can make it work using Gauge and get the freespace percentage and with timerangepicker i can really make it nice with dropdowns to select different environments,but upper management wants something like a grid or table that shows the size of the drive and the freespace on that same drive instead nice visuals.

i already have a table from that search with that info saved as a dashboard but to me it looks dull compare the gauge.if i cant make it work i will tell them these are the 2 options pick one:)

thanks for taking the time to respond

0 Karma

SplunkTrust
SplunkTrust

Hey you can not use visualization for table and that too single value as there are two rows in statistics logically it is not possible to use single value for that..so use statistical table instead of single value!!

Also your query gives wrong output try this!

index="main" host="hc1aptr3sv" Name="C:" OR Name="D:" FreeSpace | eval FreeSpace_in_GB = round((FreeSpace/1024/1024/1024), 2)|eval Size_in_GB = round((Size/1024/1024/1024),2)|stats sum(Size_in_GB) as Total_size_in_GB sum(FreeSpace_in_GB) as total_freespace_in_GB by Name host

And use statistical table !

Let me know if this helps you!

0 Karma