Dashboards & Visualizations

Dashboard

hj7654
New Member

Hello,

Working on a Splunk Dashboard to pull specific data in return and when exporting to an Excel sheet, it provides the needed data. A breakdown of Per user, per department, avg memory usage per week of the end-users. So when you Export the data to Excel, the information isn’t clean and doesn’t bring down everything, a better break down of Per User, Per Department and taking the avg of that user/machine for a week

Here is the code source so far:

 

<form>

  <label>End User Computing - Desktop Dashboard Clone HJ</label>

  <fieldset submitButton="false" autoRun="false">

    <input type="dropdown" token="hosttok" searchWhenChanged="true">

      <label>Host Selector</label>

      <search>

        <query>| metadata type=hosts index=perfmon sourcetype="Perfmon:Process"    |table host Department |sort host</query>

        <earliest>-24@h</earliest>

        <latest>now</latest>

      </search>

      <fieldForLabel>host</fieldForLabel>

      <fieldForValue>host</fieldForValue>

      <prefix>"</prefix>

      <suffix>"</suffix>

      <choice value="*">All</choice>

    </input>

    <input type="time" token="TimerangePicker" searchWhenChanged="true">

      <label></label>

      <default>

        <earliest>-4h@m</earliest>

        <latest>now</latest>

      </default>

    </input>

  </fieldset>

  <row>

    <panel>

      <title>Computer Information -Click "HostName" to launch LANDesk remote control via browser</title>

      <table>

        <search>

          <query>index=prd_win_domain_reports earliest=-24h sourcetype=DNS_Records_Info HostName="*"

|eval DeviceName=HostName

|join type=left DeviceName [search index=prd_dbx_ld_compsys sourcetype="dbmon:kv" earliest=-24h DeviceName="*"

|replace "saccap.int/Workstations/*" with "*" in ComputerLocation

|replace "CN=*" with "*" in PrimaryOwner

|replace "*,OU=Accounts,DC=saccap,DC=int" with "*" in PrimaryOwner

|rename ComputerLocation as OU

|eval LastUpdate=strftime(_time, "%Y-%m-%d %I:%M:%p")]

|rename DeviceName as host

|join type=left host [search index=* sourcetype="WMI:MemoryInfo" earliest=-24h host="*"

|dedup host DeviceLocator

|eval DIMM_GB=((Capacity/1024)/1024/1024)

|eventstats sum(DIMM_GB) AS Total  by host

|dedup host

|eval Total=round(Total)." GB"

|fillnull value="-"

|eval DIMM_GB=if(DIMM_GB="-","-",DIMM_GB." GB")

|transaction mvlist=true host

|rename Total as Memory

| eval Date=strftime(_time, "%Y-%m-%d")

| eval Time=strftime(_time, "%I:%M:%S:%p")]

|join type=left host [search index=* sourcetype=WMI:ProcessorInfo earliest=-24h host="*"

|eval hostsCPU=host.DeviceID

|dedup hostsCPU

|rename NumberOfCores as Cores

|rename MaxClockSpeed as ClockSpeed

|rename Name as Processor]

|join type=left host [search index=* sourcetype=WMI:Version earliest=-24h host="*"

|dedup host

|eval LastBootUpTime=replace(LastBootUpTime, "^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})(.*)", "\2-\3-\1 \4:\5:\6")

|rename Caption as OperatingSystem

|rename LastBootUpTime as LastReboot]

|join type=left host [search index=* sourcetype="WMI:ComputerSystem" earliest=-24h host="*"]

|search host=$hosttok$

|table

HostName

LoginName

PrimaryOwner

OU

IPAddress

Model

SerialNum

ClockSpeed

Cores

Processor

Memory

ADAPTERSTRING

MEMORY

OperatingSystem

Version

LastReboot

LastUpdInvSvr

VALastScanDate</query>

          <earliest>@d</earliest>

          <latest>now</latest>

          <sampleRatio>1</sampleRatio>

        </search>

        <option name="count">1</option>

        <option name="dataOverlayMode">none</option>

        <option name="drilldown">cell</option>

        <option name="percentagesRow">false</option>

        <option name="refresh.display">progressbar</option>

        <option name="rowNumbers">false</option>

        <option name="totalsRow">false</option>

        <option name="wrap">false</option>

        <drilldown>

          <link target="_blank">https://$click.value$:4343/index.html</link>

        </drilldown>

      </table>

    </panel>

  </row>

  <row>

    <panel>

      <title>LANDesk Events</title>

      <table>

        <search>

          <query>index=ivanti_EPM  Changed_by="**" Type_of_Change="*" Message="***"

| eval Date=strftime(_time, "%Y-%m-%d")

| eval Time=strftime(_time, "%I:%M:%S:%p")

|rename Changed_on_machine as host

|search host=$hosttok$

| table

Date

Time

Changed_by      

host

Type_of_Change

Item_name

|sort Date, Time</query>

          <earliest>$TimerangePicker.earliest$</earliest>

          <latest>$TimerangePicker.latest$</latest>

          <sampleRatio>1</sampleRatio>

        </search>

        <option name="count">20</option>

        <option name="dataOverlayMode">none</option>

        <option name="drilldown">none</option>

        <option name="percentagesRow">false</option>

        <option name="refresh.display">progressbar</option>

        <option name="rowNumbers">false</option>

        <option name="totalsRow">false</option>

        <option name="wrap">true</option>

      </table>

    </panel>

  </row>

  <row>

    <panel>

      <title>CPU Usage</title>

      <chart>

        <search>

          <query>index="perfmon" host=$hosttok$ object=Processor counter="% Processor Time" instance=_Total 

| timechart bins=1000 minspan=1m avg(Value) as "% Processor Time _Total Avg per Min" by Host</query>

          <earliest>$TimerangePicker.earliest$</earliest>

          <latest>$TimerangePicker.latest$</latest>

          <refresh>2m</refresh>

          <refreshType>delay</refreshType>

        </search>

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>

        <option name="charting.axisTitleX.visibility">visible</option>

        <option name="charting.axisTitleY.visibility">collapsed</option>

        <option name="charting.axisTitleY2.visibility">visible</option>

        <option name="charting.axisX.scale">linear</option>

        <option name="charting.axisY.scale">linear</option>

        <option name="charting.axisY2.enabled">0</option>

        <option name="charting.axisY2.scale">inherit</option>

        <option name="charting.chart">line</option>

        <option name="charting.chart.bubbleMaximumSize">50</option>

        <option name="charting.chart.bubbleMinimumSize">10</option>

        <option name="charting.chart.bubbleSizeBy">area</option>

        <option name="charting.chart.nullValueMode">gaps</option>

        <option name="charting.chart.showDataLabels">none</option>

        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>

        <option name="charting.chart.stackMode">default</option>

        <option name="charting.chart.style">shiny</option>

        <option name="charting.drilldown">all</option>

        <option name="charting.layout.splitSeries">0</option>

        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>

        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

        <option name="charting.legend.placement">right</option>

        <option name="height">249</option>

        <option name="refresh.display">progressbar</option>

      </chart>

    </panel>

    <panel>

      <title>Application Alerts</title>

      <chart>

        <search>

          <query>index=prd_win_wrk_app host=* (EventCode=1002 OR EventCode=1000)



|eval Date=strftime(_time, "%Y-%m-%d")

|eval Time=strftime(_time, "%I:%M:%p")

|eval Faulting_application_path=lower(Faulting_application_path)

|replace "c:\users\*\phprod.exe" with "PHPROD" in Faulting_application_path

|replace "c:\program files*\outlook.exe" with "Outlook" in Faulting_application_path

|replace "c:\program files*\winword.exe" with "Word" in Faulting_application_path

|replace "c:\program files*\excel.exe" with "Excel" in Faulting_application_path

|replace "c:\program files*\symphony.exe" with "Symphony" in Faulting_application_path

|replace "c:\firmapps*\dashboard.exe" with "Ops Dashboard" in Faulting_application_path

|replace "c:\program files (x86)*\ssms.exe" with "SQL Management Studio" in Faulting_application_path

|replace "c:\program files*\ciscojabber.exe" with "Jabber" in Faulting_application_path

|replace "c:\blp*" with "Bloomberg" in Faulting_application_path

|replace "c:\*neovest.exe" with "Neovest" in Faulting_application_path

|replace "c:\users*\ciscocollabhost.exe" with "Cisco Spark" in Faulting_application_path

|fillnull NA

|eval Application_Path=lower(Application_Path)

|replace "c:\users\*\phprod.exe" with "PHPROD" in Application_Path

|replace "c:\program files*\outlook.exe" with "Outlook" in Application_Path

|replace "c:\program files*\winword.exe" with "Word" in Application_Path

|replace "c:\program files*\excel.exe" with "Excel" in Application_Path

|replace "c:\program files*\symphony.exe" with "Symphony" in Application_Path

|replace "c:\firmapps*\dashboard.exe" with "Ops Dashboard" in Application_Path

|replace "c:\program files (x86)*\ssms.exe" with "SQL Management Studio" in Application_Path

|replace "c:\program files*\ciscojabber.exe" with "Jabber" in Application_Path

|replace "c:\blp*" with "Bloomberg" in Application_Path

|replace "c:\*neovest.exe" with "Neovest" in Application_Path

|replace "c:\users*\ciscocollabhost.exe" with "Cisco Spark" in Application_Path

|fillnull NA

|search Application_Path=Excel OR Faulting_application_path=Excel

OR Application_Path=Outlook OR Faulting_application_path=Outlook

OR Application_Path=Word OR Faulting_application_path=Word

OR Application_Path=Bloomberg OR Faulting_application_path=Bloomberg

OR Application_Path="Ops Dashboard" OR Faulting_application_path="Ops Dashboard"

OR Application_Path=Neovest OR Faulting_application_path=Neovest

|sort _time, limit=0



| where isnotnull(user)

| fillnull NA

| fields *

| stats  count(Faulting_application_path) AS count  BY Faulting_application_path

| sort Faulting_application_path</query>

          <earliest>@d</earliest>

          <latest>now</latest>

          <sampleRatio>1</sampleRatio>

          <refresh>5m</refresh>

          <refreshType>delay</refreshType>

        </search>

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>

        <option name="charting.axisTitleX.visibility">collapsed</option>

        <option name="charting.axisTitleY.text">Count</option>

        <option name="charting.axisTitleY.visibility">visible</option>

        <option name="charting.axisTitleY2.visibility">visible</option>

        <option name="charting.axisX.abbreviation">none</option>

        <option name="charting.axisX.scale">linear</option>

        <option name="charting.axisY.abbreviation">none</option>

        <option name="charting.axisY.scale">linear</option>

        <option name="charting.axisY2.abbreviation">none</option>

        <option name="charting.axisY2.enabled">0</option>

        <option name="charting.axisY2.scale">inherit</option>

        <option name="charting.chart">pie</option>

        <option name="charting.chart.bubbleMaximumSize">50</option>

        <option name="charting.chart.bubbleMinimumSize">10</option>

        <option name="charting.chart.bubbleSizeBy">area</option>

        <option name="charting.chart.nullValueMode">gaps</option>

        <option name="charting.chart.showDataLabels">all</option>

        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>

        <option name="charting.chart.stackMode">stacked</option>

        <option name="charting.chart.style">shiny</option>

        <option name="charting.drilldown">all</option>

        <option name="charting.layout.splitSeries">1</option>

        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>

        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

        <option name="charting.legend.mode">standard</option>

        <option name="charting.legend.placement">right</option>

        <option name="charting.lineWidth">2</option>

        <option name="refresh.display">progressbar</option>

        <option name="trellis.enabled">0</option>

        <option name="trellis.scales.shared">1</option>

        <option name="trellis.size">medium</option>

        <drilldown>

          <link target="_blank">https://support.office.com/en-us/article/fixes-or-workarounds-for-recent-issues-in-outlook-for-windows-ecf61305-f84f-4e13-bb73-95a214ac1230?ui=en-US&amp;rs=en-US&amp;ad=US</link>

        </drilldown>

      </chart>

    </panel>

    <panel>

      <title>Memory Usage</title>

      <chart>

        <search>

          <query>index="perfmon" host=$hosttok$ object=Memory counter="Available MBytes"  instance=*| timechart bins=1000 minspan=1m avg(Value) as "Available MBytes Avg per Min" By Host</query>

          <earliest>$TimerangePicker.earliest$</earliest>

          <latest>$TimerangePicker.latest$</latest>

          <refresh>2m</refresh>

          <refreshType>delay</refreshType>

        </search>

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>

        <option name="charting.axisTitleX.visibility">visible</option>

        <option name="charting.axisTitleY.visibility">visible</option>

        <option name="charting.axisTitleY2.visibility">visible</option>

        <option name="charting.axisX.scale">linear</option>

        <option name="charting.axisY.scale">linear</option>

        <option name="charting.axisY2.enabled">0</option>

        <option name="charting.axisY2.scale">inherit</option>

        <option name="charting.chart">line</option>

        <option name="charting.chart.bubbleMaximumSize">50</option>

        <option name="charting.chart.bubbleMinimumSize">10</option>

        <option name="charting.chart.bubbleSizeBy">area</option>

       <option name="charting.chart.nullValueMode">connect</option>

        <option name="charting.chart.showDataLabels">none</option>

        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>

        <option name="charting.chart.stackMode">default</option>

        <option name="charting.chart.style">shiny</option>

        <option name="charting.drilldown">all</option>

        <option name="charting.layout.splitSeries">0</option>

        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>

        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

        <option name="charting.legend.placement">right</option>

        <option name="refresh.display">progressbar</option>

      </chart>

    </panel>

  </row>

  <row>

    <panel>

      <title>User Login Information - Last 7 days</title>

      <table>

        <search>

          <query>sourcetype=WinEventLog:Security (EventCode=4624 (Logon_Type=2 OR Logon_Type=10 OR Logon_Type=7)) OR EventCode=4801 OR EventCode=4803 AND dest_nt_domain=SACCAP host=$hosttok$

| eval Date=strftime(_time, "%Y-%m-%d")

| eval Time=strftime(_time, "%I:%M:%S:%p")

| sort _time limit=0

| dedup Date, user

| lookup AD_Account_Info.csv LogonName as Account_Name OUTPUT Name, Department, Office, FirstName, LastName

| replace "*.saccap.int" with "*" in ComputerName

| replace "*.saccap.int" with "*" in dest_nt_host

| eval Source=dest_nt_domain

| eval Country=Office

| table

Date

Time

ComputerName

user

FirstName

LastName

Department

Office

| sort -Date limit=0</query>

          <earliest>-7d@h</earliest>



Thank you!

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...