Dashboards & Visualizations

Single Value color change based on diff

gnovak
Builder

Hi!

I have a dashboard created that evaluates the number of emails that should be sent and then the ACTUAL number of emails that were sent for a particular location.

This section of the dashboard produces 2 numbers, TotalEmailsToSend and TotalEmailsSent.

Each one of these values is put into a single value box on my dashboard.

Now the fun part. Both numbers need to match. If they do not, the non matching number should turn red while the other is green. If both numbers match, I would like them to both be green.

The TotalEmailsSent is the number that will differ if there was a problem. That number needs to turn red if it does not match the TotalEmailsToSend. Here is the code from my dashboard:

<html>
  <h1><b>ASIA - Last 24 Hours</b></h1>
  <a href="https://lists.afilias.info/lurker/search/20121201.000000.00000000@ml:asia cc-notify,sb:balance,sb:notification.en.html">Check ASIA stats on Lurker</a><br />
  </html>
<single>
      <searchName>balance_email_to_send_asia</searchName>
      <fields>TotalEmailsToSend</fields>
      <option name="beforeLabel">Total Emails To Send</option>
      <option name="linkView">flashtimeline</option>
      <option name="linkSearch">sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" Registrar="*" | eval Registrar=lower(Registrar)
</option>
    </single>
<single>
      <searchName>balance_email_sent_asia</searchName>
      <fields>TotalEmailsSent</fields>
      <option name="beforeLabel">Total Emails Sent</option>
      <option name="linkView">flashtimeline</option>
      <option name="linkSearch">sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" Registrar="*" | eval Registrar=lower(Registrar)
</option>
    </single>

From reading about how to do a color change, it looks like they want a "range" to work off of in regards to the color change. In this case, I have no idea what the values would be, just that they both need to match and if they don't, the non matching one should be red.

Also I see that in the examples most people were putting their search in the code for the dashboard where I am using SearchName.

After explaining all of this, is what I am trying to do even possible?

Tags (1)
1 Solution

hazekamp
Builder

gnovak,

In order to achieve this both saved searches are going to need to be aware of each other. It would help if we had the syntax for these two searches, but I should be able to speak generally enough.

## Append "to send" and "sent" searches and compare "to_send_count" to "sent_count"
## If counts equate, set range == low, else set range == severe.
<balance_email_to_send_asia> | stats count as to_send_count | append[<balance_email_sent_asia> | stats count as sent_count] | eval range=if(to_send_count==sent_count,low,severe)

You could use the above search to drive both SingleValue reports, one report displays "to_send_count" and the other "sent_count". The trick is that we get both counts in a single search so they can be compared and the value of "range" set appropriately.

View solution in original post

0 Karma

gnovak
Builder

For some reason it won't let me comment my answer so I had to put it here as an "answer"

Balance_email_sent_asia

sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" BalanceEmail sent | rex field=_raw "\[BalanceEmail\](?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsSent="*" | chart sum(TotalEmailsSent)

Balance_email_to_send_asia

sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" BalanceEmail sent | rex field=_raw "\[BalanceEmail\](?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsToSend="*" | chart sum(TotalEmailsToSend)
0 Karma

hazekamp
Builder

gnovak, looking @ your searches the approach I outlined above is correct.

0 Karma

hazekamp
Builder

gnovak,

In order to achieve this both saved searches are going to need to be aware of each other. It would help if we had the syntax for these two searches, but I should be able to speak generally enough.

## Append "to send" and "sent" searches and compare "to_send_count" to "sent_count"
## If counts equate, set range == low, else set range == severe.
<balance_email_to_send_asia> | stats count as to_send_count | append[<balance_email_sent_asia> | stats count as sent_count] | eval range=if(to_send_count==sent_count,low,severe)

You could use the above search to drive both SingleValue reports, one report displays "to_send_count" and the other "sent_count". The trick is that we get both counts in a single search so they can be compared and the value of "range" set appropriately.

0 Karma

gnovak
Builder

this did eventually work...thanks

0 Karma

gnovak
Builder

I'm wondering can you do something like:

field=TotalEmailsSent red=TotalEmailsSent < TotalEmailsToSend default=green

or something like that....I could try it and see what happens perhaps....

0 Karma

gnovak
Builder

I was also referencing this link as well to get ideas...

http://splunk-base.splunk.com/answers/24210/single-value-module-question

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...