Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display status in Dashboard based on values from multiple result rows?

worldexplorer81
Path Finder
‎03-31-2022 07:40 AM

Hi, 

I need to display an overall status in a dashboard (Single Value) based on results returned from my splunk queries. 

Example:

  • If all status OK - Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) - Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, Overall Status=Partial OK
  • If all are Pending - Overall status=Pending
Job Status
A OK
B OK
C Failed
D Pending

 

Any suggestions if the above is possible? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:13 AM

Hi @gcusello , 

The dashboard should only have 1 single value for Overall Status (either OK, Failure, Partial OK or Pending) depending on the different values of the field status returned from my search

 

  • If all status OK, then Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) , then Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, then Overall Status=Partial OK
  • If all are Pending, thenOverall status=Pending
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:57 AM

Thanks @gcusello - Will give it a try! 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 11:26 PM

Hi @worldexplorer81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:06 AM

Hi @worldexplorer81,

let me understand: do youwant to create a dashboard with four Single values, each one displaying one value of your table, is it correct?

if thisis your need, youhave to create a Post Process Search in your dashboard and then in each Single Value Panel, put one value.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...