Dashboards & Visualizations

Need help to create dashboard

Mrig342
Contributor

Hi,

I need to create a dashboard panel merging two different search queries. I have below two queries:

  • index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" "Broker may not be available" | rex field=_raw "(?ms)]\s(?P<Code>\w+)\s\[" | search Code="WARN" | stats count | eval mwgcb-ckbla02U.nam.nsroot.net=if(count=0, "Running", "Down") | table mwgcb-ckbla02U.nam.nsroot.net

This give me the status of the  broker based on the availability of the indicator "Broker may not be available".

  • index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/zookeeperLogs/*" "java.net.SocketException: Broken pipe" OR "ZK Down" | rex field=_raw "(?ms)\]\s(?P<Code>\w+)\s" | search Code="WARN" | rex field=_raw "(?ms)\/(?P<IP_Address>(\d+\.){3}\d+)\:\d+" | stats count | eval mwgcb-ckbla02U.nam.nsroot.net=if(count=0, "Running", "Down") | table mwgcb-ckbla02U.nam.nsroot.net

This gives me the status of zookeeper based on the availability of the indicators "java.net.SocketException: Broken pipe" OR "ZK Down".

Now, I want to merge both the search queries such that I can get the status of both broker and zookeeper in a tabular format.

 

for e.g.  for the host mwgcb-ckbla02U.nam.nsroot.net

Broker             Down

Zookeeper    Running

 

I tried creating a query as below:

index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" | stats count by source | lookup component_lookup.csv "source" | eval Status=if(count=0, "Running", "Down")| table Component,Status

 

However in any time range where the indicators are not available, it throws output as "No results found" and hence not able to create the dashboard.

Please help to get the output in the desired manner. Thanks..!!

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" 
| stats count by source 
| append [| makeresults
  | eval source=split("/logs/confluent/kafkaLogs/server.log|/logs/confluent/zookeeperLogs/zookeeper.log","|")
  | mvexpand source
  | eval count=0
  | table count source]
| stats sum(count) as count by source
| lookup component_lookup.csv "source" 
| eval Status=if(count=0, "Running", "Down")
| table Component,Status

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" 
| stats count by source 
| append [| makeresults
  | eval source=split("/logs/confluent/kafkaLogs/server.log|/logs/confluent/zookeeperLogs/zookeeper.log","|")
  | mvexpand source
  | eval count=0
  | table count source]
| stats sum(count) as count by source
| lookup component_lookup.csv "source" 
| eval Status=if(count=0, "Running", "Down")
| table Component,Status

Mrig342
Contributor

Thank you ITWhisperer..!!

The query worked fine..

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...