Dashboards & Visualizations

Radio button with focus on specific servers (End of Life)

swengroeneveld
Explorer

Good morning to you all and happy Thursday!

I have a set of data called server_os which contains CentOS 5, CentOS 6 and CentOS 7.

As CentOS 5 is end of life and so will be centos 6 soon, I want to create a radio button for my analyst that once they click on "EOL" as shown here; it shows specific data for those 2 (or more) servers in the below graphs, tables etc.

swengroeneveld_0-1603974760032.png

Windows was easy because “server_os”=win 2008

What is the best way to get around this?

I’ve tried:

 

index=u* server_os=* 
| eval EOL=case(match(server_os,"(?i)CentOS 4/5 or later \(64-bit\)"),1 ,match(server_os,"(?i)CentOS 6 \(64-bit\)"),1)
| search EOL=1 
| dedup host, server_os 
| rename server_os AS EOL
| table EOL

 

Just getting stuck so any ideas are welcome.

Note for Windows this worked:

swengroeneveld_1-1603974934020.png

Static does not seem to accept multiple values and adding another EOL underneath.
Note II that I adjusted the value nicer as this was a test. 

Thanks!

Labels (1)
0 Karma
1 Solution

kennetkline
Path Finder

Simplifying a bit  a here;  versus what I have done in my environment to do basically the same thing.

My goal was to only have to edit a lookup as we find new OS variants or support changes;  no editing dashboards or search code.

Write a search that identifies all the OS's in your environment and test tabling to a table 

create an alert  (only have to update if more than 1 result)

 

 

| inputlookup   os_supported_lookup.csv
| append [  search  index=u* server_os=* 
	| stats count by server_os
	| rename server_os as os
	| table os ]
| stats values(supported) as supported by os
| eval supported=if(supported>0, 1, 0)
| table os, supported
| outputlookup os_supported_lookup.csv

 

 



I then use the lookup editor to edit manage update OS's as they end support.   Also any new os's found automatically get added to the list.

Then you can setup your search filter to say all / eol what ever
ALL=*
supported=1
eol=0

setup search

 

 

index=u* server_os=* 
| lookup os OUTPUT supported
| where support=$supported$  

 

 




View solution in original post

0 Karma

swengroeneveld
Explorer

Excellent and simple solution, which I could figure out as well. But I didn't! Thanks @kennetkline 

0 Karma

kennetkline
Path Finder

Simplifying a bit  a here;  versus what I have done in my environment to do basically the same thing.

My goal was to only have to edit a lookup as we find new OS variants or support changes;  no editing dashboards or search code.

Write a search that identifies all the OS's in your environment and test tabling to a table 

create an alert  (only have to update if more than 1 result)

 

 

| inputlookup   os_supported_lookup.csv
| append [  search  index=u* server_os=* 
	| stats count by server_os
	| rename server_os as os
	| table os ]
| stats values(supported) as supported by os
| eval supported=if(supported>0, 1, 0)
| table os, supported
| outputlookup os_supported_lookup.csv

 

 



I then use the lookup editor to edit manage update OS's as they end support.   Also any new os's found automatically get added to the list.

Then you can setup your search filter to say all / eol what ever
ALL=*
supported=1
eol=0

setup search

 

 

index=u* server_os=* 
| lookup os OUTPUT supported
| where support=$supported$  

 

 




0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...