Dashboards & Visualizations

Show status for multiple panels

myoung54
Explorer

Hey all,
So I have a dashboard I created with the status of multiple different processes. Each panel shows a check-circle and then changes color based on the status (Good=Green, Degraded=Yellow, Outage=Red). Everything is working well, but the next thing I would like to add is a panel at the top of the page (that is also centered in the middle of the screen) that shows the overall status of all the panels. So for an example, if I have 5 panels, and 4 of them are showing "Outage", then at the top of the page you would see something like "Status" and it would be the color red. Or if I have 5 panels and 5 of them were showing "Good", then at the top of the page you would see "Status" but it would be the color green.

Is something like this possible?

<form>
  <label>At-a-Glance/SPOG Dashboard Test</label>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-1m@m</earliest>
        <latest>@m</latest>
      </default>
    </input>
    <input type="dropdown" token="span" searchWhenChanged="true">
      <label>Span</label>
      <choice value="1s">1s</choice>
      <choice value="5s">5s</choice>
      <choice value="10s">10s</choice>
      <choice value="15s">15s</choice>
      <choice value="1m">1m</choice>
      <choice value="5m">5m</choice>
      <choice value="10m">10m</choice>
      <choice value="15m">15m</choice>
      <default>1m</default>
      <initialValue>1m</initialValue>
    </input>
  </fieldset>
  <row>
    <panel id="mode10aag">
      <title>Mode 10</title>
      <html depends="$alwaysHideCSS$">
         <style>
      #mode10aag{
         width:230px !important;
      }

         </style>
       </html>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>
| eval Warning=case(TotalRate<10,"Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
| eval Status= case(TotalRate<10,"check-circle", TotalRate>10 AND TotalRate<27,"check-circle", TotalRate>27,"check-circle")
| eval color=case(TotalRate<10,"#FF0000", TotalRate>10 AND TotalRate<27,"#ffff00", TotalRate>27,"#65a637")
| table icon Status color Warning TotalRate _time</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel id="logintimesaag">
      <title>Login Times</title>
      <html depends="$alwaysHideCSS$">
         <style>
      #logintimesaag{
         width:230px !important;

      }
         </style>
       </html>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>
| eval Warning=case(TotalRate>5,"Outage", TotalRate>1 AND TotalRate<5,"Degraded", TotalRate<1,"Good")
| eval Status= case(TotalRate>5,"check-circle", TotalRate>1 AND TotalRate<5,"check-circle", TotalRate<1,"check-circle")
| eval color=case(TotalRate>5,"#FF0000", TotalRate>1 AND TotalRate<5,"#ffff00", TotalRate<1,"#65a637")
| table icon Status color Warning TotalRate _time</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    </row>
    </form>
0 Karma
1 Solution

niketn
Legend

@myoung54 you can use <done> and <progress> search event handler to use predefined token $result.yourFieldName$ to access search result and assign token to be used in Overall Status panel. Refer to one of my older answer to understand similar use case: https://answers.splunk.com/answers/580233/use-values-from-two-panels-in-a-third-panel.html

Following is an example based on your question and information provided (Since you had not described all Overall SLA calculation logic, I have built my own which you need to adjust as per your needs).

alt text

Following is the complete Simple XML Dashboard code:

<form>
  <label>Status Indicator Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-1m@m</earliest>
        <latest>@m</latest>
      </default>
    </input>
    <input type="dropdown" token="span" searchWhenChanged="true">
      <label>Span</label>
      <choice value="1s">1s</choice>
      <choice value="5s">5s</choice>
      <choice value="10s">10s</choice>
      <choice value="15s">15s</choice>
      <choice value="1m">1m</choice>
      <choice value="5m">5m</choice>
      <choice value="10m">10m</choice>
      <choice value="15m">15m</choice>
      <default>1m</default>
      <initialValue>1m</initialValue>
    </input>
  </fieldset>
  <!-- Hidden Section for CSS Style Override in the Dashboard -->
  <row depends="$alwaysHideCSS$">
    <panel>
      <html>
        <style>
          div[id^="mode10aag"]{
            width:16.66% !important;
          }
          div[id^="logintimesaag"]{
            width:16.66% !important;
          }
          h2.panel-title{
            text-align:center !important;
          }
          #overallstatus h2.panel-title{
            font-weight:bold !important;
          }
          #overallstatus h2.panel-title{
            color: white !important;
          }
          #overallstatus h2.panel-title{
            background-color: $tokOverallColor$ !important;
          }
          #overallstatus{
            width:16.66% !important;
          }
        </style>
      </html>
    </panel>
  </row>
  <row>
    <panel id="mode10aag1">
      <title>Mode 1</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokModSLA1">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Mode"
| eval SLA=case(TotalRate<=10,"Outage", TotalRate>10 AND TotalRate<=27,"Degraded", TotalRate>27,"Good", true(),"Unknown")
| eval Status=case(TotalRate<=10,"times-circle", TotalRate>10 AND TotalRate<=27,"info-circle", TotalRate>27,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate<=10,"#FF0000", TotalRate>10 AND TotalRate<=27,"#f8be34", TotalRate>27,"#65a637", true(),"#333")
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="logintimesaag1">
      <title>Login 1</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokLoginSLA1">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Login"
| eval SLA=case(TotalRate>5,"Outage", TotalRate>1 AND TotalRate<=5,"Degraded", TotalRate<=1,"Good", true(),"Unknown") 
| eval Status= case(TotalRate>5,"times-circle", TotalRate>1 AND TotalRate<=5,"info-circle", TotalRate<=1,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate>5,"#FF0000", TotalRate>1 AND TotalRate<=5,"#f8be34", TotalRate<=1,"#65a637", true(),"#333") 
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="mode10aag2">
      <title>Mode 2</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokModSLA2">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Mode"
| eval SLA=case(TotalRate<=10,"Outage", TotalRate>10 AND TotalRate<=27,"Degraded", TotalRate>27,"Good", true(),"Unknown")
| eval Status= case(TotalRate<=10,"times-circle", TotalRate>10 AND TotalRate<=27,"info-circle", TotalRate>27,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate<=10,"#FF0000", TotalRate>10 AND TotalRate<=27,"#f8be34", TotalRate>27,"#65a637", true(),"#333")
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="logintimesaag2">
      <title>Login 2</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokLoginSLA2">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Login"
| eval SLA=case(TotalRate>5,"Outage", TotalRate>1 AND TotalRate<=5,"Degraded", TotalRate<=1,"Good", true(),"Unknown") 
| eval Status= case(TotalRate>5,"times-circle", TotalRate>1 AND TotalRate<=5,"info-circle", TotalRate<=1,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate>5,"#FF0000", TotalRate>1 AND TotalRate<=5,"#f8be34", TotalRate<=1,"#65a637", true(),"#333") 
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="mode10aag3">
      <title>Mode 3</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokModSLA3">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Mode"
| eval SLA=case(TotalRate<=10,"Outage", TotalRate>10 AND TotalRate<=27,"Degraded", TotalRate>27,"Good", true(),"Unknown")
| eval Status= case(TotalRate<=10,"times-circle", TotalRate>10 AND TotalRate<=27,"info-circle", TotalRate>27,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate<=10,"#FF0000", TotalRate>10 AND TotalRate<=27,"#f8be34", TotalRate>27,"#65a637", true(),"#333")
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="overallstatus">
      <title>Overall Status</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| fields - _time
| eval ModSLA1="$tokModSLA1$",
       ModSLA2="$tokModSLA2$",
       ModSLA3="$tokModSLA3$",
       LoginSLA1="$tokLoginSLA1$",
       LoginSLA2="$tokLoginSLA2$"
| transpose column_name="FieldName" 
| rename "row 1" as "SLA" 
| stats count by SLA 
| append 
    [| makeresults 
    | fields - _time 
    | eval SLA="Outage,Degraded,Good,Unknown", count=0 
    | makemv SLA delim="," 
    | mvexpand SLA]
| dedup SLA
| transpose header_field="SLA" column_name="SLA"
| search SLA!="_*"
| eval OverallSLA=case(Outage>0 AND Outage>=Degraded AND Outage+Degraded>=Good,"Outage",
    Degraded>0 AND Degraded>=Good AND Outage+Degraded>=Good,"Degraded",
    Good>0,"Good",
    true(),"Unknown") 
| eval Status= case(OverallSLA=="Outage","times-circle", OverallSLA=="Degraded","info-circle", OverallSLA=="Good","check-circle", true(),"exclaimation-triangle") 
| eval color=case(OverallSLA=="Outage","#FF0000", OverallSLA=="Degraded","#f8be34", OverallSLA=="Good","#65a637", true(),"#333") 
| fields OverallSLA Status color</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <set token="tokOverallColor">$result.color$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
  </row>
</form>

PS: I have done some some changes to your SPL and dashboard.

  1. You can have single CSS Override section in your dashboard instead of multiple.
  2. You can give generic CSS selector. I have used div id starts with CSS selector i.e. ( div [id^="yourpartialstatingid"])
  3. Handling default match for Status case as Unknown and adding equal to match for one of the boundaries.
  4. Instead of Null field icon use specific field based on type of panel.
  5. Changes icon for Status Indicator as per SLA as well.
  6. Logic for Overall SLA based on combinations of Outage, Degraded, Good and Unknown.
  7. Unknown section has been declared in each case section (it is good to have) but may never be used (I used this to identify you were missing equal to condition match in your case).
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@myoung54 you can use <done> and <progress> search event handler to use predefined token $result.yourFieldName$ to access search result and assign token to be used in Overall Status panel. Refer to one of my older answer to understand similar use case: https://answers.splunk.com/answers/580233/use-values-from-two-panels-in-a-third-panel.html

Following is an example based on your question and information provided (Since you had not described all Overall SLA calculation logic, I have built my own which you need to adjust as per your needs).

alt text

Following is the complete Simple XML Dashboard code:

<form>
  <label>Status Indicator Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-1m@m</earliest>
        <latest>@m</latest>
      </default>
    </input>
    <input type="dropdown" token="span" searchWhenChanged="true">
      <label>Span</label>
      <choice value="1s">1s</choice>
      <choice value="5s">5s</choice>
      <choice value="10s">10s</choice>
      <choice value="15s">15s</choice>
      <choice value="1m">1m</choice>
      <choice value="5m">5m</choice>
      <choice value="10m">10m</choice>
      <choice value="15m">15m</choice>
      <default>1m</default>
      <initialValue>1m</initialValue>
    </input>
  </fieldset>
  <!-- Hidden Section for CSS Style Override in the Dashboard -->
  <row depends="$alwaysHideCSS$">
    <panel>
      <html>
        <style>
          div[id^="mode10aag"]{
            width:16.66% !important;
          }
          div[id^="logintimesaag"]{
            width:16.66% !important;
          }
          h2.panel-title{
            text-align:center !important;
          }
          #overallstatus h2.panel-title{
            font-weight:bold !important;
          }
          #overallstatus h2.panel-title{
            color: white !important;
          }
          #overallstatus h2.panel-title{
            background-color: $tokOverallColor$ !important;
          }
          #overallstatus{
            width:16.66% !important;
          }
        </style>
      </html>
    </panel>
  </row>
  <row>
    <panel id="mode10aag1">
      <title>Mode 1</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokModSLA1">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Mode"
| eval SLA=case(TotalRate<=10,"Outage", TotalRate>10 AND TotalRate<=27,"Degraded", TotalRate>27,"Good", true(),"Unknown")
| eval Status=case(TotalRate<=10,"times-circle", TotalRate>10 AND TotalRate<=27,"info-circle", TotalRate>27,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate<=10,"#FF0000", TotalRate>10 AND TotalRate<=27,"#f8be34", TotalRate>27,"#65a637", true(),"#333")
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="logintimesaag1">
      <title>Login 1</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokLoginSLA1">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Login"
| eval SLA=case(TotalRate>5,"Outage", TotalRate>1 AND TotalRate<=5,"Degraded", TotalRate<=1,"Good", true(),"Unknown") 
| eval Status= case(TotalRate>5,"times-circle", TotalRate>1 AND TotalRate<=5,"info-circle", TotalRate<=1,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate>5,"#FF0000", TotalRate>1 AND TotalRate<=5,"#f8be34", TotalRate<=1,"#65a637", true(),"#333") 
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="mode10aag2">
      <title>Mode 2</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokModSLA2">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Mode"
| eval SLA=case(TotalRate<=10,"Outage", TotalRate>10 AND TotalRate<=27,"Degraded", TotalRate>27,"Good", true(),"Unknown")
| eval Status= case(TotalRate<=10,"times-circle", TotalRate>10 AND TotalRate<=27,"info-circle", TotalRate>27,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate<=10,"#FF0000", TotalRate>10 AND TotalRate<=27,"#f8be34", TotalRate>27,"#65a637", true(),"#333")
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="logintimesaag2">
      <title>Login 2</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokLoginSLA2">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Login"
| eval SLA=case(TotalRate>5,"Outage", TotalRate>1 AND TotalRate<=5,"Degraded", TotalRate<=1,"Good", true(),"Unknown") 
| eval Status= case(TotalRate>5,"times-circle", TotalRate>1 AND TotalRate<=5,"info-circle", TotalRate<=1,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate>5,"#FF0000", TotalRate>1 AND TotalRate<=5,"#f8be34", TotalRate<=1,"#65a637", true(),"#333") 
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="mode10aag3">
      <title>Mode 3</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <done>
            <set token="tokModSLA3">$result.SLA$</set>
          </done>
          <query>| makeresults
| fields - _time
| eval TotalRate=random()
| eval TotalRate=substr(TotalRate,1,2)
| eval field="Mode"
| eval SLA=case(TotalRate<=10,"Outage", TotalRate>10 AND TotalRate<=27,"Degraded", TotalRate>27,"Good", true(),"Unknown")
| eval Status= case(TotalRate<=10,"times-circle", TotalRate>10 AND TotalRate<=27,"info-circle", TotalRate>27,"check-circle", true(),"exclaimation-triangle")
| eval color=case(TotalRate<=10,"#FF0000", TotalRate>10 AND TotalRate<=27,"#f8be34", TotalRate>27,"#65a637", true(),"#333")
| table field Status color SLA TotalRate</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">text</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
    <panel id="overallstatus">
      <title>Overall Status</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| fields - _time
| eval ModSLA1="$tokModSLA1$",
       ModSLA2="$tokModSLA2$",
       ModSLA3="$tokModSLA3$",
       LoginSLA1="$tokLoginSLA1$",
       LoginSLA2="$tokLoginSLA2$"
| transpose column_name="FieldName" 
| rename "row 1" as "SLA" 
| stats count by SLA 
| append 
    [| makeresults 
    | fields - _time 
    | eval SLA="Outage,Degraded,Good,Unknown", count=0 
    | makemv SLA delim="," 
    | mvexpand SLA]
| dedup SLA
| transpose header_field="SLA" column_name="SLA"
| search SLA!="_*"
| eval OverallSLA=case(Outage>0 AND Outage>=Degraded AND Outage+Degraded>=Good,"Outage",
    Degraded>0 AND Degraded>=Good AND Outage+Degraded>=Good,"Degraded",
    Good>0,"Good",
    true(),"Unknown") 
| eval Status= case(OverallSLA=="Outage","times-circle", OverallSLA=="Degraded","info-circle", OverallSLA=="Good","check-circle", true(),"exclaimation-triangle") 
| eval color=case(OverallSLA=="Outage","#FF0000", OverallSLA=="Degraded","#f8be34", OverallSLA=="Good","#65a637", true(),"#333") 
| fields OverallSLA Status color</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <set token="tokOverallColor">$result.color$</set>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="height">119</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">SLA</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">2</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
      </viz>
    </panel>
  </row>
</form>

PS: I have done some some changes to your SPL and dashboard.

  1. You can have single CSS Override section in your dashboard instead of multiple.
  2. You can give generic CSS selector. I have used div id starts with CSS selector i.e. ( div [id^="yourpartialstatingid"])
  3. Handling default match for Status case as Unknown and adding equal to match for one of the boundaries.
  4. Instead of Null field icon use specific field based on type of panel.
  5. Changes icon for Status Indicator as per SLA as well.
  6. Logic for Overall SLA based on combinations of Outage, Degraded, Good and Unknown.
  7. Unknown section has been declared in each case section (it is good to have) but may never be used (I used this to identify you were missing equal to condition match in your case).
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

myoung54
Explorer

Wow, this was incredibly helpful! Thank you so much!!

niketn
Legend

🙂 Anytime!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...