Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display status in Dashboard based on values from multiple result rows?

worldexplorer81
Path Finder
‎03-31-2022 07:40 AM

Hi, 

I need to display an overall status in a dashboard (Single Value) based on results returned from my splunk queries. 

Example:

  • If all status OK - Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) - Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, Overall Status=Partial OK
  • If all are Pending - Overall status=Pending
Job Status
A OK
B OK
C Failed
D Pending

 

Any suggestions if the above is possible? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:13 AM

Hi @gcusello , 

The dashboard should only have 1 single value for Overall Status (either OK, Failure, Partial OK or Pending) depending on the different values of the field status returned from my search

 

  • If all status OK, then Overall status=OK
  • If  one or more status is Failed and all other are OK (i.e no Job in Pending) , then Overall Status=Failure
  • If one or more status is in Failed and one or more is in Pending, then Overall Status=Partial OK
  • If all are Pending, thenOverall status=Pending
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:41 AM

Hi @worldexplorer81,

in this case, you have to group events and check the condition, something like this:

your_search
| stats dc(status) AS dc_status values(status) AS status
| eval overallStatus=case(dc_status=1 AND status="OK","OK",dc_status=1 AND status="Pending","Pending",dc_status=1 AND status="Pending","Failure",dc_status>1 AND like(status,"%Failed%"),"Failure", dc_status>1 AND like(status,"%Failed%")AND like(status,"%Pending%"),"Partial OK")
| fields overallStatus

Ciao.

Giuseppe

Reply
Solved! Jump to solution

worldexplorer81
Path Finder
‎03-31-2022 08:57 AM

Thanks @gcusello - Will give it a try! 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 11:26 PM

Hi @worldexplorer81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 08:06 AM

Hi @worldexplorer81,

let me understand: do youwant to create a dashboard with four Single values, each one displaying one value of your table, is it correct?

if thisis your need, youhave to create a Post Process Search in your dashboard and then in each Single Value Panel, put one value.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...