Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard outputting pattern

sarahw3
Explorer
‎08-03-2017 11:22 AM

I have events that are statuses of cameras. I want to create a panel that outputs the names of the cameras whose status="Never_Checked" or "No_Images for three days in a row. For example, if camera 1A was never checked on 8/1, 8/2, and 8/3, 1A will be added to a list. Is this possible?

0 Karma
Reply

woodcock
Esteemed Legend
‎09-04-2017 06:06 PM

Let's make it flexible. If you select Last 3 days then this will check for 3 days as you desire but if you change the timepicker, it will shift.

|gentimes start=-4
| rename starttime AS _time
| fields _time
| streamstats count AS _serial
| eval host="camera1 camera2 camera3 camera4 camera5"
| makemv host
| mvexpand host
| eval status=case(host="camera5", "OK",
                   host="camera1", "Never_Checked",
                   host="camera2", "No_Images",
                   _serial=1, "Never_Checked",
                   _serial=2, "No_Images",
                   _serial=3 AND host="camera3", "No_Images",
                   _serial=3 AND host="camera4", "OK",
                   true(), "No_Images")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| stats values(status) AS status dc(status) AS statusCount BY host
| where (statusCount=1 AND (status="Never_Checked" OR status="No_Images")) OR (statusCount=2 AND status="Never_Checked" AND status="No_Images")
0 Karma
Reply

sbbadri
Motivator
‎08-03-2017 11:27 AM

try this

index=xx sourcetype=xxx earliest=-3d@d latest=now status="Never_Checked" OR status="No_Images" | table camera status

I hope status field got extracted from events.

0 Karma
Reply

sarahw3
Explorer
‎08-03-2017 11:36 AM

It is not showing any events. This could be because I have only put in up to April 2017 this year into splunk. Is there a way I can make it looks at the 3 days before the date that is selected?

0 Karma
Reply

sbbadri
Motivator
‎08-03-2017 01:16 PM

can you post one sample event

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...