Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display status in Dashboard based on values from multiple result rows?

worldexplorer81
Path Finder
‎03-31-2022 07:40 AM

Hi, 

I need to display an overall status in a dashboard (Single Value) based on results returned from my splunk queries. 

Example:

  • If all status OK - Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) - Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, Overall Status=Partial OK
  • If all are Pending - Overall status=Pending
Job Status
A OK
B OK
C Failed
D Pending

 

Any suggestions if the above is possible? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:13 AM

Hi @gcusello , 

The dashboard should only have 1 single value for Overall Status (either OK, Failure, Partial OK or Pending) depending on the different values of the field status returned from my search

 

  • If all status OK, then Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) , then Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, then Overall Status=Partial OK
  • If all are Pending, thenOverall status=Pending
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:57 AM

Thanks @gcusello - Will give it a try! 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 11:26 PM

Hi @worldexplorer81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:06 AM

Hi @worldexplorer81,

let me understand: do youwant to create a dashboard with four Single values, each one displaying one value of your table, is it correct?

if thisis your need, youhave to create a Post Process Search in your dashboard and then in each Single Value Panel, put one value.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...