Dashboards & Visualizations

Is it possible create a dashboard that has 2-3 panels that change in regard to progress status?

bharpur183
Explorer

Our company has multiple location globally and have scheduled maintenances on the weekends at specific details. Now we get an email regarding the scheduled maintenances.

Is it possible create a dashboard that has 2-3 panels that say "In-Progress" , "Upcoming" and "Completed".
The panels show what kind on maintenance it is , the ticket # , the contact person .
All scheduled maintenances show up under upcoming and as soon as the time hits for a specific one , that event moves automatically to progress panel and once its done it moves to completed.

wanted to see if this is possible and is yes , how and where to start ?

0 Karma

woodcock
Esteemed Legend

Start by creating a search that creates those fields and values (this should be reasonably straight-forward if you know your data). Then download the Splunk 6.x Dashboard Examples app and learn how to do what you need to do there:
https://splunkbase.splunk.com/app/1603/

0 Karma

DalJeanis
Legend

Suppose you do something like this...

Create an index=servicefoo to track this stuff.

Add the events to the index=servicefoo with fields...

_time Office Service Ticket EstimatedStartTime EstimatedFinishTime Status

Status on these records would be set to scheduled, and would not change the basic functioning below. _time would be set to the date/time they are added to the index.

The base search for the dashboard is ...

index=servicefoo | stats latest (*) as * by Ticket | where EstimatedStartTime < now()+86400 AND EstimatedFinishTime > Now()-86400 AND Status!="canceled"

The left pane filters...

EstimatedStartTime > now() AND status="scheduled" 

The center pane filters...

((EstimatedStartTime <= now() AND EstimatedFinishTime >= Now()) AND status="scheduled")
OR status="in progress"
| eval Status=if(Status="scheduled,"scheduled-unconfirmed",Status)

The right pane filters...

(EstimatedFinishTime < Now()  AND status="scheduled")
OR status="completed"
| eval Status=if(Status="scheduled,"scheduled-unconfirmed",Status)

This setup allows that even if you use the optional setup below, tickets will move automatically, unless you have actively confirmed that they are in progress and have not yet confirmed they are completed.


Ideally, you would have a way of confirming that the service had begun or been completed, and update the index with that information.

The update records would have three required fields - _time Ticket and Status. Statuses are "scheduled" "canceled" "in progress" and "completed".

You can add records at any time to update the estimated start and end as well.

In all cases, the values for all fields on most recent record for a Ticket override all prior values for those fields, leaving all unspecified values in place.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bharpur183,
where are information about locations and scheduled maintenances?
Are these information updated (status, completion, etc...)?
If you have these information on a DB or as application log or an updated csv, you could read them and display in a dashboard, but the problem isn't how to display, the problem is where are data, how to access them, how to ingest them?
With the information you shared this is the only help I can give you.
Bye.
Giuseppe

0 Karma

bharpur183
Explorer

Right now we get an email about it , but I can move it onto a csv file and use the lookups to show the data, but again is it possible to build the panels and they change the status from upcoming to in progress and then completed automatically?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bharpur183,
dashboard panels can ben updated with a frequency you like, the problem is only to ingest data:
if you can ingest in Splunk updated data (e.g. structured emails), it's possible to disply updated status.
Bye.
Giuseppe

0 Karma

bharpur183
Explorer

Thanks Giuseppe.

Just a sample this is what the data looks like :
Office Date Service Ticket Time
Boston Office : 8/25-26 IDF rm HVAC repl GCHG 164648 3AM-4AM
Chicago 2 Node : 8/25-27 UPS swbd PM GCHG 159846 7AM-9PM
Ridge Road : 8/26 UPS Syst No. B1 PM GCHG 162545 3AM-4AM
Rio de Janeiro Office : 8/26 IDF raised fl cleaning GCHG 163815 1PM- 9AM

I have it being displayed in a dashboard from a csv lookup. How to display them and automat them in a way that they all are in upcoming panel , and when 8/25 3AM hits the clock, the first service moves to the in progress panel. and finally to completed at 4AM.

also in case of similar timings like above 2 services for 3AM-4AM , but different offices, how to display both

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi bharpur183,
you have to upload your csv in an index (e.g. maintenance) using csv field extraction and then use the table command, something like this

index=maintenance
| table Office Date Service Ticket Time

To continously upload csv you can create an input and copy csv in the input folder, so Splunk index your csv every time you update it.
Bye.
Giuseppe

0 Karma

bharpur183
Explorer

How about automating them in the upcoming , in progress and completed panels ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

In upcoming you cold create a script that copies your csv file in a directory where there is an input.
For panels, you can put real time in time period but it's heavy for your system, otherwise you could automatically refresh your panels.
bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...