Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display status in Dashboard based on values from multiple result rows?

worldexplorer81
Path Finder
‎03-31-2022 07:40 AM

Hi, 

I need to display an overall status in a dashboard (Single Value) based on results returned from my splunk queries. 

Example:

  • If all status OK - Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) - Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, Overall Status=Partial OK
  • If all are Pending - Overall status=Pending
Job Status
A OK
B OK
C Failed
D Pending

 

Any suggestions if the above is possible? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:13 AM

Hi @gcusello , 

The dashboard should only have 1 single value for Overall Status (either OK, Failure, Partial OK or Pending) depending on the different values of the field status returned from my search

 

  • If all status OK, then Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) , then Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, then Overall Status=Partial OK
  • If all are Pending, thenOverall status=Pending
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:57 AM

Thanks @gcusello - Will give it a try! 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 11:26 PM

Hi @worldexplorer81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:06 AM

Hi @worldexplorer81,

let me understand: do youwant to create a dashboard with four Single values, each one displaying one value of your table, is it correct?

if thisis your need, youhave to create a Post Process Search in your dashboard and then in each Single Value Panel, put one value.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...