Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display data on dashboard?

Renunaren
Loves-to-Learn Everything
‎04-12-2023 02:43 AM

Renunaren_0-1681292251218.png

I am working on a splunk xml dashboard where the above chart shows about the events that were in wait state, error state, running state, and success state. But we can see that the events which were in error state, the same jobs ran again and went into success state but we have a requirement in such a way that if the same job ran again for the same day and the job was successful then the event has to be cleared from the dashboard and the new data has to be refreshed.

Below is the one snippet which will show the events which were in waiting state and again those events went into successful as the same jobs has ran into success again.

Renunaren_1-1681292570276.png

below is the sample raw text of the events with the status of the jobs which were in waiting state.

{"timestamp": "2023-03-29T04:57:07.366881Z", "level": "INFO", "filename": "splunk_sample_csv.py", "funcName": "main", "lineno": 38, "message": "Dataframe row : {\"_c0\":{\"0\":\"{\",\"1\":\"    \\\"total\\\": 236\",\"2\":\"    \\\"statuses\\\": [\",\"3\":\"        {\",\"4\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"5\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"6\":\"            \\\"count\\\": 0\",\"7\":\"            \\\"name\\\": \\\"BHW_T8841_ANTRAG_RDV\\\"\",\"8\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvp\\\"\",\"9\":\"        }\",\"10\":\"        {\",\"11\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"12\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"13\":\"            \\\"count\\\": 0\",\"14\":\"            \\\"name\\\": \\\"BHW_T8009_DATEN_EBIS_RDV\\\"\",\"15\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvi\\\"\",\"16\":\"        }\",\"17\":\"        {\",\"18\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"19\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"20\":\"            \\\"count\\\": 0\",\"21\":\"            \\\"name\\\": \\\"BHW_T5895_AZV_DATEN_RDV\\\"\",\"22\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvd\\\"\",\"23\":\"        }\",\"24\":\"        {\",\"25\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"26\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"27\":\"            \\\"count\\\": 0\",\"28\":\"            \\\"name\\\": \\\"BHW_T5829_SONDERTILGUNG_RDV\\\"\",\"29\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv9\\\"\",\"30\":\"        }\",\"31\":\"        {\",\"32\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"33\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"34\":\"            \\\"count\\\": 0\",\"35\":\"            \\\"name\\\": \\\"BHW_T5152_PROLO_ZINSEN_RDV\\\"\",\"36\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv6\\\"\",\"37\":\"        }\",\"38\":\"        {\",\"39\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"40\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"41\":\"            \\\"count\\\": 0\",\"42\":\"            \\\"name\\\": \\\"BHW_T5149_PROLO_KOND_RDV\\\"\",\"43\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv1\\\"\",\"44\":\"        }\",\"45\":\"        {\",\"46\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"47\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"48\":\"            \\\"count\\\": 0\",\"49\":\"            \\\"name\\\": \\\"BHW_T5144_ZUT_SALDEN_RDV\\\"\",\"50\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqux\\\"\",\"51\":\"        }\",\"52\":\"        {\",\"53\":\"            \\\"

also we have extracted the job names and statuses of the events separately. 

The above jobs went into success after running again.

Please help us on this.

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2023 11:38 AM

Just use "| dedup JobID"

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-12-2023 02:54 AM

It is often said that a picture paints a thousand words, but in this instance, a picture raises a thousand questions! Well, perhaps not a thousand. The point is, a picture of an event is virtually useless to us.

Does your event hold the status of one job or many?

Have you already extracted the job name and status, and what are the field names?

Can you share the event(s) in a code block </> so we can see and test with accurate representations of the data?

0 Karma
Reply

Renunaren
Loves-to-Learn Everything
‎04-12-2023 04:25 AM

Hi,

Thanks for your response. As mentioned by you below is the sample raw text of the events with the status of the jobs which were in waiting state.

{"timestamp": "2023-03-29T04:57:07.366881Z", "level": "INFO", "filename": "splunk_sample_csv.py", "funcName": "main", "lineno": 38, "message": "Dataframe row : {\"_c0\":{\"0\":\"{\",\"1\":\"    \\\"total\\\": 236\",\"2\":\"    \\\"statuses\\\": [\",\"3\":\"        {\",\"4\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"5\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"6\":\"            \\\"count\\\": 0\",\"7\":\"            \\\"name\\\": \\\"BHW_T8841_ANTRAG_RDV\\\"\",\"8\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvp\\\"\",\"9\":\"        }\",\"10\":\"        {\",\"11\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"12\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"13\":\"            \\\"count\\\": 0\",\"14\":\"            \\\"name\\\": \\\"BHW_T8009_DATEN_EBIS_RDV\\\"\",\"15\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvi\\\"\",\"16\":\"        }\",\"17\":\"        {\",\"18\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"19\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"20\":\"            \\\"count\\\": 0\",\"21\":\"            \\\"name\\\": \\\"BHW_T5895_AZV_DATEN_RDV\\\"\",\"22\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqvd\\\"\",\"23\":\"        }\",\"24\":\"        {\",\"25\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"26\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"27\":\"            \\\"count\\\": 0\",\"28\":\"            \\\"name\\\": \\\"BHW_T5829_SONDERTILGUNG_RDV\\\"\",\"29\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv9\\\"\",\"30\":\"        }\",\"31\":\"        {\",\"32\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"33\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"34\":\"            \\\"count\\\": 0\",\"35\":\"            \\\"name\\\": \\\"BHW_T5152_PROLO_ZINSEN_RDV\\\"\",\"36\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv6\\\"\",\"37\":\"        }\",\"38\":\"        {\",\"39\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"40\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"41\":\"            \\\"count\\\": 0\",\"42\":\"            \\\"name\\\": \\\"BHW_T5149_PROLO_KOND_RDV\\\"\",\"43\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqv1\\\"\",\"44\":\"        }\",\"45\":\"        {\",\"46\":\"            \\\"status\\\": \\\"Wait Condition\\\"\",\"47\":\"            \\\"Timestamp\\\": \\\"2023\\/03\\/22 17:26:40\\\"\",\"48\":\"            \\\"count\\\": 0\",\"49\":\"            \\\"name\\\": \\\"BHW_T5144_ZUT_SALDEN_RDV\\\"\",\"50\":\"            \\\"jobId\\\": \\\"LNDEV02:0dqux\\\"\",\"51\":\"        }\",\"52\":\"        {\",\"53\":\"            \\\"

also we have extracted the job names and statuses of the events separately. 

The above jobs went into success after running again.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-12-2023 02:47 AM

Hi @Renunaren,

You can use the latest function to find the latest status of the jobs like below. If you can share your query we can help better.

| stats latest(status) as status by name
| stats count by status
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...