Solved: Dashboard to show process is "UP" or "DOWN"

dperry · ‎06-20-2018

I want to create a dashboard that simply reports a specific process is UP or DOWN. Preferable one that shows ON (GREEN) or OFF (Red).

this is my search:

Process is ON
index=myindex sourcetype=mysourcetype host=myhost type=process_monitor process=Myprocess status=True

Process is DOWN
index=myindex sourcetype=mysourcetype host=myhost type=process_monitor process=Myprocess status=False

the search is run every 5 minutes I want the dashboard to be in realtime.....

renjith_nair · ‎06-23-2018

Hi @dperry,

Try this and adjust your base search accordingly

  <row>
    <panel>
      <single>
        <search>
          <query>index=myindex sourcetype=mysourcetype host=myhost type=process_monitor process=Myprocess status=*
                |eval my_status=if(status=="True","On","Off")
                |eval range=if(status=="True","low","severe")</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="field">range</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

niketn · ‎06-25-2018

@dperry, I feel Status Indicator Custom Visualization to show Icon/Color and Status of process. Refer to one of my older answer with a run anywhere search: https://answers.splunk.com/answers/547381/dashboard-on-off-status.html

If you are on 6.6 or higher Single Value and Status Indicator will both support Trellis Layout so that you can show multiple process status with a single query. Refer to the following answer with Trellis option: https://answers.splunk.com/answers/590581/refresh-data-in-table-by-collecting-token-on-click.html

PS: Most Custom Visualizations do not support Drilldown out of the box, hence jQuery or manual enablement of Drilldown through Visualization code would be required. jQuery drilldown example has been provided in answer above.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dsmith1988 · ‎06-22-2020

I know this an old thread, but It fits my needs perfectly. Is there a way to make the indication show the name of the field and an icon, or will this only display numbers and icons as mentioned earlier in the message?

niketn · ‎06-22-2020

@dsmith1988 with Status Indicator custom viz. you can definitely use text as well. Refer to one of my older answers: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-build-a-dashboard-with-single-panel...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dsmith1988 · ‎06-23-2020

Okay, so what I am trying to do is website monitoring. I have the faliure color and icon working correctly. What I am trying to do is get the site name to appear as the text inside the status box. I am not wanting that value to determine the colors. I will then grow this to include that site name as a drilldown from the status indicator.

Thank you!!

niketn · ‎06-23-2020

Yes that is possible. You need following fields

field for label
field for icon
field for color
by aggregation field

You can create label same as aggregation field by using eval before the aggregating/transforming command.

In your case

Site Name
Failure or Success Icon
Failure or Success color
Site Name as aggregation

For example:

| eval label=host
| stats last(label) as label last(icon) as icon last(color) as color last(cpu) as cpu by host

Then you can create Trellis layout to access host name during drilldown using $trellis.value$.

Also refer to another answer where I have used table with multi-value cells to create Tiles and then created drilldown for displaying more than 20 rows as Trellis introduces pagination.https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-a-way-to-display-more-than-20-cha...

Do upvote the comment and answer if they helped you 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dsmith1988 · ‎06-25-2020

I think I can get this to work based on your comment. It does look like the JSON we are getting fron cloudwatch synthetics needs to be addressed. The raw data is vvery limited.

Thank you again for the help. Very much appreciated.

Sukisen1981 · ‎06-23-2018

Hi,
I guess you are looking for some pointers here. What I would do is start with three basic panels.
1-Process is ON
index=myindex sourcetype=mysourcetype host=myhost type=process_monitor process=Myprocess status=True
Allow user to select process (Myprocess) through a drop down filter, default view to be set for all status=True processes.
2-Process is DOWN
index=myindex sourcetype=mysourcetype host=myhost type=process_monitor process=Myprocess status=False
Allow user to select process (Myprocess) through a drop down filter, default view to be set for all status=False processes.
3- All processes, exclude status in the base search code
index=myindex sourcetype=mysourcetype host=myhost type=process_monitor process=Myprocess
Allow user to select process (Myprocess) through a drop down filter AND also a drop down for the status, default view to be set for all processes.
Now, based on these 3 basic searches you can build a lot of panels. For example,I can display a pie chart to show overall percentage distribution based on the status field values.
To color your dashboards, you have 2 options -
One is editing the simple XML and the default coloring options in the panel based on your splunk versions
For example, in the 3 panel , which lists all processes , if I wish to colour the status feild green or red , I would use something like

{"False" :#FF7F50,"True" :#8ba649}

If you do have access to the CSS/Js you can look and need more coloring options than available in the default panels and simple xml you can refer these excellent links
https://answers.splunk.com/answers/482083/how-to-customize-my-dashboard-with-custom-color-an.html
and this app which really helps a lot in having advanced coloring and visulizations
https://splunkbase.splunk.com/app/1603/

renjith_nair · ‎06-23-2018

Hi @dperry,

Try this and adjust your base search accordingly

  <row>
    <panel>
      <single>
        <search>
          <query>index=myindex sourcetype=mysourcetype host=myhost type=process_monitor process=Myprocess status=*
                |eval my_status=if(status=="True","On","Off")
                |eval range=if(status=="True","low","severe")</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="field">range</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>

---
What goes around comes around. If it helps, hit it with Karma 🙂

abhishek25 · ‎11-01-2018

Hi renjith,
I am creating a dashboard based on the above code to monitor a java process on a remote windows server.
I have created a new index "dev_pid" where i want the results to be stored.
The output is showing no results found.

Process_Id_Dashboard

index=dev_pid host=IT00T437 type=process_monitor process=Java(TM) Platform SE binary status=*
|eval my_status=if(status=="True","On","Off")
|eval range=if(status=="True","low","severe")
-24h
now
1

value
none
none
range
0
["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]
[0,30,70,100]
1
1
0
1
medium
standard
absolute
after
0
1

It would be nice if you can help.

Thanks.

renjith_nair · ‎06-25-2018

Hi @dperry,
Did this work for you ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

dperry · ‎06-25-2018

Hi renjith.nair....this works great....I have a question thugh...how would I make only two ranges.....

True would output ONHOST (in green) and False output OFFHOST (RED)

renjith_nair · ‎06-25-2018

Are these not displaying correctly now? I mean green & red for on and off?

---
What goes around comes around. If it helps, hit it with Karma 🙂

Dashboard to show process is "UP" or "DOWN"

panel

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...