Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Dashboard to Monitor Error Rates labels (Down, slow,up) across Multiple Applications

tonishantsms
Observer
‎02-10-2024 04:32 AM

I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orange; else "UP" in Green. 2- After label column done then needs to create new widget with single value and check the all the labels (DOWN, ISSUE, UP) if any (at least one) APIs in Error Rate is "DOWN", show "DOWN" in red; If any APIs in Error Rate is "ISSUE", show "ISSUE" in orange; else "UP" in green. Note- I need single text value result This is code i wrote till now but still not able to fullfill my requirement

 

<panel>

<single>

<title>Error Rate</title>

<search>

<query> app_name-abc OR app_name=xyz | rex field msg "\"[^\"]*\"\s(?&lt;status&gt;\d+)" | stats count(eval(status&gt;-200 AND status&lt;-300)) as pass count, count(eval(status&gt;-400)) as fail_count by cf_app_name

| eval error rate (fail_count/ (pass_count + fail_count)) 100 | eval label if (error rate &gt; 50, "DOWN", if(error_rate &gt; 5, "ISSUE", "UP")) | eval error rate round(error_rate, 2) "X" rename error_rate AS "Error_rate(percent)" | stats count(eval(label="DOWN")) as down_count, count(eval (label-"ISSUE")) as issue count, count(eval (label-"UP")) as up_count | rangemap field-issue_count low-0-0 high-2-99 default-low | eval Status-case(down_count &gt;-1, "DOWN", down_count=0 AND issue_count&gt;-1, "ISSUE", 1--1, "UP") </query>

<sampleRatio>1</sampleRatio>

</search>

<option name="drilldown">none</option>

<option name="field">Status</option>

<option name="rangeValues">ISSUE, UP</option> <option name="rangeColors">orange, green</option>

<option name="drilldown">none</option>

<option name="field"> Status</option>

<option name="drilldown">none</option>

</single>

</panel>

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

tscroggins
Champion
‎02-10-2024 09:03 AM

Hi @tonishantsms,

The functionality is deprecated, but the single value visualization still supports automatic color-coding using rangemap and the range values severe (red), high (orange), elevated (yellow), guarded (blue), and low (green). You can take advantage of this functionality by combining the rangemap and chart commands with a trellised single value visualization:

| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name

You can technically use any method to generate a field named range with the correct values. To use trellis, though, you must use chart, timechart, xyseries, etc. to add hidden field metadata required by the visualization code.

<dashboard version="1.1" theme="light">
  <label>tonishantsms_single</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
      </single>
    </panel>
  </row>
</dashboard>

tscroggins_0-1707584202813.png

Older documentation is still available through archive.org, e.g. https://web.archive.org/web/20150831233457/http://docs.splunk.com/Documentation/Splunk/latest/Search..., but Splunk may remove the functionality in a future release.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...