Dashboards & Visualizations

How to add static data in graph with dynamic result

wcastillocruz
Path Finder

Hello dear community,

I absolutely need your help.
I have the following research which allows me to perform an availability calculation.

index=index (severity=2 OR severity=0 OR severity="-1")
| eval ID=Env+"_"+Apps+"_"+Function+"_"+varname
| addinfo
| eval periode=info_max_time-info_min_time
| transaction ID startswith=(severity=2) maxevents=2
| eval start_time=mvindex(timestamp,0), end_time=mvindex(timestamp,1)
| stats sum(duration) AS duration_indispo by Function, periode
| eval Percent_Available = round((periode-duration_indispo)*100/periode,3)
|rename Function AS "Applications"
| fillnull value=100.00
|table Applications, Percent_Available

 

my research calculates the unavailability of each function (applications) the problem is that I have a button to select the period (previous year, previous month, previous week ... etc) I have exactly 5 functions for which I want to calculate availability but depending on the period chosen it is possible that one or more applications do not return any result and if I display the result on a graph then the applications without result are not taken into account in my graph. how I can do to statically enter the name of my 5 functions and display the results dynamically if the result is not null or display 100% if the result is null.
fillnull value = 100.00 does not work in this case

 

wcastillocruz_0-1612797690460.png

 

Labels (3)
Tags (2)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

You may use a lookup to define the desired functions and append to the existing result.

However, if the number of functions is less (5), then try this and replace the Application 1.. Application 5 with your application list.

ie. eval Applications=" Add your application list "

index=index_sqlprod-itrs_toc (severity=2 OR severity=0 OR severity="-1")
| eval ID=Env+"_"+Apps+"_"+Function+"_"+varname
| addinfo
| eval periode=info_max_time-info_min_time
| transaction ID startswith=(severity=2) maxevents=2
| eval start_time=mvindex(timestamp,0), end_time=mvindex(timestamp,1)
| stats sum(duration) AS duration_indispo by Function, periode
| eval Percent_Available = round((periode-duration_indispo)*100/periode,3)
|rename Function AS "Applications"
|append [|stats count|eval Percent_Available=100|eval Applications="Application 1,Application 2,Application 3,Application 4,Application 5"|makemv Applications delim=","|mvexpand Applications]
|stats min(Percent_Available) as Percent_Available by Applications
|table Applications, Percent_Available

 

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

You may use a lookup to define the desired functions and append to the existing result.

However, if the number of functions is less (5), then try this and replace the Application 1.. Application 5 with your application list.

ie. eval Applications=" Add your application list "

index=index_sqlprod-itrs_toc (severity=2 OR severity=0 OR severity="-1")
| eval ID=Env+"_"+Apps+"_"+Function+"_"+varname
| addinfo
| eval periode=info_max_time-info_min_time
| transaction ID startswith=(severity=2) maxevents=2
| eval start_time=mvindex(timestamp,0), end_time=mvindex(timestamp,1)
| stats sum(duration) AS duration_indispo by Function, periode
| eval Percent_Available = round((periode-duration_indispo)*100/periode,3)
|rename Function AS "Applications"
|append [|stats count|eval Percent_Available=100|eval Applications="Application 1,Application 2,Application 3,Application 4,Application 5"|makemv Applications delim=","|mvexpand Applications]
|stats min(Percent_Available) as Percent_Available by Applications
|table Applications, Percent_Available

 

Happy Splunking!

wcastillocruz
Path Finder

@renjith_nair

What lookup could I have used if I had a high number of applications? so as not to have to create them manually. could you give me an example pleas?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Create a look up with Header  "Applications" and  add all your applications under that

Refer that in the search 

your search
| eval Percent_Available = round((periode-duration_indispo)*100/periode,3)
|rename Function AS "Applications"
|inputlookup append=true applications.csv
|fillnull Percent_Available value=100
|stats min(Percent_Available) as Percent_Available  by Applications

 

Happy Splunking!

wcastillocruz
Path Finder

hi @renjith_nair
I added the following lines and it works:

|append [| makeresults 1 | eval liste="ICS SPEAKER BUS" |table liste ]
|append [| makeresults 1 | eval liste="ENREGISTREMENT TELEPHONIE" |table liste ]
|append [| makeresults 1 | eval liste="OTMS ALCATEL" |table liste]
|append [| makeresults 1 | eval liste="OXE WORLDWIDE" |table liste]

thank you

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...