Our company has multiple location globally and have scheduled maintenances on the weekends at specific details. Now we get an email regarding the scheduled maintenances.
Is it possible create a dashboard that has 2-3 panels that say "In-Progress" , "Upcoming" and "Completed".
The panels show what kind on maintenance it is , the ticket # , the contact person .
All scheduled maintenances show up under upcoming and as soon as the time hits for a specific one , that event moves automatically to progress panel and once its done it moves to completed.
wanted to see if this is possible and is yes , how and where to start ?
Start by creating a search that creates those fields and values (this should be reasonably straight-forward if you know your data). Then download the
Splunk 6.x Dashboard Examples app and learn how to do what you need to do there:
Suppose you do something like this...
index=servicefoo to track this stuff.
Add the events to the
index=servicefoo with fields...
_time Office Service Ticket EstimatedStartTime EstimatedFinishTime Status
Status on these records would be set to
scheduled, and would not change the basic functioning below.
_time would be set to the date/time they are added to the index.
The base search for the dashboard is ...
index=servicefoo | stats latest (*) as * by Ticket | where EstimatedStartTime < now()+86400 AND EstimatedFinishTime > Now()-86400 AND Status!="canceled"
The left pane filters...
EstimatedStartTime > now() AND status="scheduled"
The center pane filters...
((EstimatedStartTime <= now() AND EstimatedFinishTime >= Now()) AND status="scheduled") OR status="in progress" | eval Status=if(Status="scheduled,"scheduled-unconfirmed",Status)
The right pane filters...
(EstimatedFinishTime < Now() AND status="scheduled") OR status="completed" | eval Status=if(Status="scheduled,"scheduled-unconfirmed",Status)
This setup allows that even if you use the optional setup below, tickets will move automatically, unless you have actively confirmed that they are in progress and have not yet confirmed they are completed.
Ideally, you would have a way of confirming that the service had begun or been completed, and update the index with that information.
The update records would have three required fields -
Status. Statuses are "scheduled" "canceled" "in progress" and "completed".
You can add records at any time to update the estimated start and end as well.
In all cases, the values for all fields on most recent record for a Ticket override all prior values for those fields, leaving all unspecified values in place.
where are information about locations and scheduled maintenances?
Are these information updated (status, completion, etc...)?
If you have these information on a DB or as application log or an updated csv, you could read them and display in a dashboard, but the problem isn't how to display, the problem is where are data, how to access them, how to ingest them?
With the information you shared this is the only help I can give you.
Right now we get an email about it , but I can move it onto a csv file and use the lookups to show the data, but again is it possible to build the panels and they change the status from upcoming to in progress and then completed automatically?
dashboard panels can ben updated with a frequency you like, the problem is only to ingest data:
if you can ingest in Splunk updated data (e.g. structured emails), it's possible to disply updated status.
Just a sample this is what the data looks like :
Office Date Service Ticket Time
Boston Office : 8/25-26 IDF rm HVAC repl GCHG 164648 3AM-4AM
Chicago 2 Node : 8/25-27 UPS swbd PM GCHG 159846 7AM-9PM
Ridge Road : 8/26 UPS Syst No. B1 PM GCHG 162545 3AM-4AM
Rio de Janeiro Office : 8/26 IDF raised fl cleaning GCHG 163815 1PM- 9AM
I have it being displayed in a dashboard from a csv lookup. How to display them and automat them in a way that they all are in upcoming panel , and when 8/25 3AM hits the clock, the first service moves to the in progress panel. and finally to completed at 4AM.
also in case of similar timings like above 2 services for 3AM-4AM , but different offices, how to display both
you have to upload your csv in an index (e.g. maintenance) using csv field extraction and then use the table command, something like this
index=maintenance | table Office Date Service Ticket Time
To continously upload csv you can create an input and copy csv in the input folder, so Splunk index your csv every time you update it.
In upcoming you cold create a script that copies your csv file in a directory where there is an input.
For panels, you can put real time in time period but it's heavy for your system, otherwise you could automatically refresh your panels.