Dashboards & Visualizations

Need help to create dashboard



I need to create a dashboard panel merging two different search queries. I have below two queries:

  • index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" "Broker may not be available" | rex field=_raw "(?ms)]\s(?P<Code>\w+)\s\[" | search Code="WARN" | stats count | eval mwgcb-ckbla02U.nam.nsroot.net=if(count=0, "Running", "Down") | table mwgcb-ckbla02U.nam.nsroot.net

This give me the status of the  broker based on the availability of the indicator "Broker may not be available".

  • index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/zookeeperLogs/*" "java.net.SocketException: Broken pipe" OR "ZK Down" | rex field=_raw "(?ms)\]\s(?P<Code>\w+)\s" | search Code="WARN" | rex field=_raw "(?ms)\/(?P<IP_Address>(\d+\.){3}\d+)\:\d+" | stats count | eval mwgcb-ckbla02U.nam.nsroot.net=if(count=0, "Running", "Down") | table mwgcb-ckbla02U.nam.nsroot.net

This gives me the status of zookeeper based on the availability of the indicators "java.net.SocketException: Broken pipe" OR "ZK Down".

Now, I want to merge both the search queries such that I can get the status of both broker and zookeeper in a tabular format.


for e.g.  for the host mwgcb-ckbla02U.nam.nsroot.net

Broker             Down

Zookeeper    Running


I tried creating a query as below:

index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" | stats count by source | lookup component_lookup.csv "source" | eval Status=if(count=0, "Running", "Down")| table Component,Status


However in any time range where the indicators are not available, it throws output as "No results found" and hence not able to create the dashboard.

Please help to get the output in the desired manner. Thanks..!!

Labels (1)
0 Karma
1 Solution

index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" 
| stats count by source 
| append [| makeresults
  | eval source=split("/logs/confluent/kafkaLogs/server.log|/logs/confluent/zookeeperLogs/zookeeper.log","|")
  | mvexpand source
  | eval count=0
  | table count source]
| stats sum(count) as count by source
| lookup component_lookup.csv "source" 
| eval Status=if(count=0, "Running", "Down")
| table Component,Status

View solution in original post

index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" 
| stats count by source 
| append [| makeresults
  | eval source=split("/logs/confluent/kafkaLogs/server.log|/logs/confluent/zookeeperLogs/zookeeper.log","|")
  | mvexpand source
  | eval count=0
  | table count source]
| stats sum(count) as count by source
| lookup component_lookup.csv "source" 
| eval Status=if(count=0, "Running", "Down")
| table Component,Status


Thank you ITWhisperer..!!

The query worked fine..

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...