- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create a dashboard panel to show more than ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have got logs like below set which gives the VPN details like VPN_Name, Primary_Server, Secondary_Server and their status.
Log1:
</tr>
<tr>
<td ><b><font color=olive>INDIA</font></b></td>
<td >SNFGC_S_INDIA</td>
<td ><b><font color=green>gcgnamslap03p</font></b> # <b><font color=blue>gcgnamslap04p</font></b></td>
<td ><b><font color="green">UP</font></b>/<b><font color=blue>SB</font></b></td>
Log2:
</tr>
<tr>
<td ><b><font color=olive>CHINA</font></b></td>
<td >JBPMGC_S_CHINA</td>
<td ><b><font color=green>gcgnamslap03p</font></b> # <b><font color=blue>gcgnamslap04p</font></b></td>
<td ><b><font color="green">UP</font></b>/<b><font color=blue>SB</font></b></td>
Here I used the below query to extract the required fields:
... | rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>(?P<Region>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>(?P<VPN_Name>[^\<]+)\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>(?P<Primary_Server>[^\<]+)\<\/\w+\>\<\/b\>\s"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\s\#\s\<b\>\<\w+\s\w+\=\w+\>(?P<Secondary_Server>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\s\#\s\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\"\w+\"\>(?P<Status_Primary>[^\<]+)\<\/\w+\>\<\/b\>\/\<b\>\<\w+\s\w+\=\w+\>(?P<Status_Secondary>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
I want to create a panel to show the details of Status_Primary (like how many are UP and how many are DOWN). For that I used added the query "| stats count by Status_Primary" to the above query and created a pie chart out of it.
I also want to show in the same panel, which is the Primary_Server and which is the Secondary_Server. But I am not able to make a query to fill both data in the same panel.
Please help to create a query to fill both the Status details and Server details in the same panel. Your kind help is highly appreciated.
Thank you..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval Status=mvappend("Primary_Server: ".Primary_Server."-".Status_Primary,"Secondary_Server: ".Secondary_Server."-".Status_Secondary)
| stats count by Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this help
| eval Status=mvappend("Primary_".Status_Primary,"Secondary_".Status_Secondary)
| stats count by Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer ,
Thank you for your inputs.
I tried to change the query as below to show both the server name and status.
| eval Status=mvappend("Primary_Server: ".Primary_Server.Status_Primary,"Secondary_Server: ".Secondary_Server.Status_Secondary)
| stats count by Status
And it gives the below table:
| Status | count |
| Primary_Server: gcgnamslap03pDOWN | 2 |
| Primary_Server: gcgnamslap03pUP | 117 |
| Secondary_Server: gcgnamslap04pDOWN | 2 |
| Secondary_Server: gcgnamslap04pSB | 117 |
I want to put a hyphen (-) between the server name and the status to make the field value more meaningful like below:
| Status | count |
| Primary_Server: gcgnamslap03p-DOWN | 2 |
| Primary_Server: gcgnamslap03p-UP | 117 |
| Secondary_Server: gcgnamslap04p-DOWN | 2 |
| Secondary_Server: gcgnamslap04p-SB | 117 |
Please help to modify my query to get the desired output.
Thank you..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval Status=mvappend("Primary_Server: ".Primary_Server."-".Status_Primary,"Secondary_Server: ".Secondary_Server."-".Status_Secondary)
| stats count by Status- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer ,
Thank you very much for your inputs. I am now able to get the dashboard panel in the desired manner.
Your kind help is highly appreciated.
Thank You..!!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
