Dashboards & Visualizations

How to make the range values of gauges change dynamically based on the duration of the search in hours?

hettervik
Builder

Hi,

We're trying to create an interactive dashboard with gauges that dynamically change the range values depending on duration of the search in hours. We've used 10 as an upper limit for the green zone for a duration of one hour, which means that for e.g. 24 hours we want the upper limit for the green zone to be 240. The example search below shows how we imagine this could work, using the fictional hour(_time) command to count the hours of the duration of our search.

index=index1 eventtype=$field2$ status=404 | stats count as errorcount | stats count hour(_time) as hours | gauge errorcount 0 10*hours 20*hours

Obviously the search above doesn't work. Do any of you guys have a solution for this?

Thanks! Regards,
M&J

0 Karma
1 Solution

sundareshr
Legend

To get the value for hours, you could use ..| eval h=strftime(_time, "%-I") | eval high=trim(h)*20 and the set the value for the range in your dashboard, you can add the following to the simple xml

<option name="charting.chart.rangeValues">$field1$</option>

where $field1$ is a token that return the ranges like this [0,300,700,1000]

The other option is to look at the rangemap command

View solution in original post

0 Karma

sundareshr
Legend

To get the value for hours, you could use ..| eval h=strftime(_time, "%-I") | eval high=trim(h)*20 and the set the value for the range in your dashboard, you can add the following to the simple xml

<option name="charting.chart.rangeValues">$field1$</option>

where $field1$ is a token that return the ranges like this [0,300,700,1000]

The other option is to look at the rangemap command

0 Karma

hettervik
Builder

Thanks! Though, either I'm using your proposed search wrong, or this is not exactly what I'm looking for. I'm looking for a value that is obtained through something like hours=$latest$-$earliest$, if this makes sense?

I have a panel in a dashboard that gets its search range from a time picker on the dashboard. In this search I want to obtain/get the duration of the search range that is sat from the time picker on the dashboard.

0 Karma

sundareshr
Legend

Try this

| addinfo | eval d= info_max_time - info_min_time | table info_max_time , info_min_time d

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Addinfo

hettervik
Builder

That worked perfectly, thanks!

I noticed that the addinfo command add fields to all events in the search. Isn't this a bit resource demanding considering the information I want to extract? I'm not complaining though, this solution is fine by me.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...