Hi,
I have a simple requirement where I have to render a green tick when application is available and red cross when it is not available. The corresponding splunk query is :
* source="http://10.0.0.6/BI/" | eval Value = if(status_code=="404",0,1) | rangemap field=Value severe=0-0 low=1-100
The corresponding dashboard.css code is:
.single-value.severe{
background-repeat: no-repeat;
padding-left: 150px; /* Push the text over so that it doesn't sit on top of the image. Change this according to the dimensions of your image. */
padding-top: 160px;
height:48px;
/* Replace with your image: */
background-image: url('images/custom-icons/redCross.png'); /* See http://goo.gl/yxW7O */
}
.single-value.low{
background-repeat: no-repeat;
padding-left: 150px;
padding-top: 160px;
height:48px;
background-image: url('images/custom-icons/greenTick.png'); /* See http://goo.gl/v4V1A */
}
But when image is rendered then along with image the count(1 or 0) is also appearing.
I want to remove this count, how can I achieve this.
Thanks And Regards
Hitesh
Hi,
Thanks a lot for your help. Actually I have corrected this problem. The problem is even after writing fields - Value the result was displaying fields of wmi:service. So I just used eval Name = "" at the end of the query. So now only image is appearing in output.
Thanks
Hitesh
List the fields e.g | fields Host Percent will prevent count from showing
Hi,
Thanks a lot for your help. Actually I have corrected this problem. The problem is even after writing fields - Value the result was displaying fields of wmi:service. So I just used eval Name = "" at the end of the query. So now only image is appearing in output.
Thanks
Hitesh
Add the following to the end of your search:
| fields - count
Hi,
I tried this option but count is still appearing.
Best Regards
Hitesh
Did you mean a field called count
or some other field with the count in it? Whatever field you don't want to show up, replace count
in my suggestion with the name of that field.
I think its the Value field which evaluates to either 0 or 1. I tried fields - Value. But still the number is coming over there. Its not count field. Its Value field which is used in rengemap function
-Hitesh
I did the following search and it worked the way you are expecting, with just the range
column and not the Value
column:
index=_internal
| table eventtype
| mvexpand eventtype
| dedup eventtype
| eval Value=if(eventtype!="splunkd-log",1,0)
| rangemap field=Value splunkdlog=0-0 other=1-100
| fields - Value
Does this work similarly for you?
No, its not working that way. OK I will provide some more details. Here is my Splunk Query:
index="_internal" source="metrics.lo" group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","syslog")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"pre 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"n/a",os)| eval arch=if(isnull(arch),"n/a",arch) | fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server build version os arch guid |stats latest(version) by sourceHost os connectionType arch|search sourceHost=$Host$|stats count|eval Value= if(count == 0, 0, 1)| rangemap field=Value severe=150-200 low=0-100 | fields - Value
I tried with both fields - count and fields - Value , but no is still appearing. Is there any way I can hide this count from dashboard xml. The corresponding entry in xml is:
<title>Availability of $Host$</title>
<searchString>....</searchString>
<earliestTime>rt-60s</earliestTime>
<latestTime>rtnow</latestTime>
<option name="drilldown">none</option>
<option name="classField">range</option>
<option name="linkView">search</option>
</single>
Please help
I've tried my suggestion in both simple and advanced XML and it's working in both places - the Value
column is not there and the range
column is. I'm still not sure what's going on with yours.
Can you please do the following: Cut off your search string after the last stats count
(before the eval Value
clause) and post a sample table (columns and rows with values) that you get in response. Maybe that will point us the right way.
Eve if I remove these fields the name of the VM starts to appear, then if I write fields - sourceHost then os name begin to appear, likewise. After removing all fields to appear once again the Value fields begins to appear which is not getting removed even after writing fields - Value.
I understand while writing normal query if you write fields - Value then Value wont be there in result. But the case is regarding this query. So I think the query needs to be changed. Please help me in correcting this query to remove fields
Moreover I cannot remove search clause as I have to check the availibility of that VM.
One scenario at a time, please? Let's solve this one, and then ask your other one in a different question.
Anyways, I ran your search prior to the search sourceHost=$Host$
line, and I got a table with five columns: sourceHost
, os
, connectionType
, arch
and latest(version)
.
Doing the search sourceHost=$Host$
line will return the same table but listing only entries containing that host.
Doing stats count
will return a table with just a count
column and one row with the value representing the number of entries in the previous table.
Doing eval Value= if(count == 0, 0, 1)
gets you a table with two columns, count
and Value
, and one row, with a number in count
and either 1 or 0 in Value
.
Doing rangemap field=Value severe=150-200 low=0-100
results in a table with count
, Value
and range
columns, and one row. (Note, it makes no sense to do this. Value
is always either 0 or 1. Doing a rangemap
where low=0-100
will always get you low
. I think you want to do the rangemap
on count
.)
Doing fields - Value count
gets me just the range
column, which I think is what you want. I made a simple dashboard with your search a tweaked version of your CSS, and I got a green "low", shifted over with space for the background image (which I don't have). Worked with a 7-day regular search and a 30-min realtime search.
There's nothing special about the query you have posted. The 'fields -` clause works for me here, and it should work for you, too.
OK, Let me tell you another scenario.
Here is the splunk Query:
index = azuremetricservice source="wmi:service" Name="MSSQLSERVER" | eval State=State|eval Value =if(State=="Running",1,0) | rangemap field=Value severe=0-0 low=1-100
The output is an icon. Now as soon as I make above query to execute in real time. The name MSSQLSERVER is getting displayed.
How is this possible that upon making query real time the name is appearing.
-Hitesh