- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create a dashboard panel to show more than ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have got logs like below set which gives the VPN details like VPN_Name, Primary_Server, Secondary_Server and their status.
Log1:
</tr>
<tr>
<td ><b><font color=olive>INDIA</font></b></td>
<td >SNFGC_S_INDIA</td>
<td ><b><font color=green>gcgnamslap03p</font></b> # <b><font color=blue>gcgnamslap04p</font></b></td>
<td ><b><font color="green">UP</font></b>/<b><font color=blue>SB</font></b></td>
Log2:
</tr>
<tr>
<td ><b><font color=olive>CHINA</font></b></td>
<td >JBPMGC_S_CHINA</td>
<td ><b><font color=green>gcgnamslap03p</font></b> # <b><font color=blue>gcgnamslap04p</font></b></td>
<td ><b><font color="green">UP</font></b>/<b><font color=blue>SB</font></b></td>
Here I used the below query to extract the required fields:
... | rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>(?P<Region>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>(?P<VPN_Name>[^\<]+)\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>(?P<Primary_Server>[^\<]+)\<\/\w+\>\<\/b\>\s"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\s\#\s\<b\>\<\w+\s\w+\=\w+\>(?P<Secondary_Server>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\s\#\s\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\"\w+\"\>(?P<Status_Primary>[^\<]+)\<\/\w+\>\<\/b\>\/\<b\>\<\w+\s\w+\=\w+\>(?P<Status_Secondary>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
I want to create a panel to show the details of Status_Primary (like how many are UP and how many are DOWN). For that I used added the query "| stats count by Status_Primary" to the above query and created a pie chart out of it.
I also want to show in the same panel, which is the Primary_Server and which is the Secondary_Server. But I am not able to make a query to fill both data in the same panel.
Please help to create a query to fill both the Status details and Server details in the same panel. Your kind help is highly appreciated.
Thank you..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval Status=mvappend("Primary_Server: ".Primary_Server."-".Status_Primary,"Secondary_Server: ".Secondary_Server."-".Status_Secondary)
| stats count by Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this help
| eval Status=mvappend("Primary_".Status_Primary,"Secondary_".Status_Secondary)
| stats count by Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer ,
Thank you for your inputs.
I tried to change the query as below to show both the server name and status.
| eval Status=mvappend("Primary_Server: ".Primary_Server.Status_Primary,"Secondary_Server: ".Secondary_Server.Status_Secondary)
| stats count by Status
And it gives the below table:
| Status | count |
| Primary_Server: gcgnamslap03pDOWN | 2 |
| Primary_Server: gcgnamslap03pUP | 117 |
| Secondary_Server: gcgnamslap04pDOWN | 2 |
| Secondary_Server: gcgnamslap04pSB | 117 |
I want to put a hyphen (-) between the server name and the status to make the field value more meaningful like below:
| Status | count |
| Primary_Server: gcgnamslap03p-DOWN | 2 |
| Primary_Server: gcgnamslap03p-UP | 117 |
| Secondary_Server: gcgnamslap04p-DOWN | 2 |
| Secondary_Server: gcgnamslap04p-SB | 117 |
Please help to modify my query to get the desired output.
Thank you..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval Status=mvappend("Primary_Server: ".Primary_Server."-".Status_Primary,"Secondary_Server: ".Secondary_Server."-".Status_Secondary)
| stats count by Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer ,
Thank you very much for your inputs. I am now able to get the dashboard panel in the desired manner.
Your kind help is highly appreciated.
Thank You..!!
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
