Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display status in Dashboard based on values from multiple result rows?

worldexplorer81
Path Finder
‎03-31-2022 07:40 AM

Hi, 

I need to display an overall status in a dashboard (Single Value) based on results returned from my splunk queries. 

Example:

  • If all status OK - Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) - Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, Overall Status=Partial OK
  • If all are Pending - Overall status=Pending
Job Status
A OK
B OK
C Failed
D Pending

 

Any suggestions if the above is possible? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:13 AM

Hi @gcusello , 

The dashboard should only have 1 single value for Overall Status (either OK, Failure, Partial OK or Pending) depending on the different values of the field status returned from my search

 

  • If all status OK, then Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) , then Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, then Overall Status=Partial OK
  • If all are Pending, thenOverall status=Pending
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:57 AM

Thanks @gcusello - Will give it a try! 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 11:26 PM

Hi @worldexplorer81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:06 AM

Hi @worldexplorer81,

let me understand: do youwant to create a dashboard with four Single values, each one displaying one value of your table, is it correct?

if thisis your need, youhave to create a Post Process Search in your dashboard and then in each Single Value Panel, put one value.

Ciao.

Giuseppe

 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
li.common.scroll-to.top