Splunk Dashboard to Monitor Error Rates labels (Do...

tonishantsms · ‎02-10-2024

I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orange; else "UP" in Green. 2- After label column done then needs to create new widget with single value and check the all the labels (DOWN, ISSUE, UP) if any (at least one) APIs in Error Rate is "DOWN", show "DOWN" in red; If any APIs in Error Rate is "ISSUE", show "ISSUE" in orange; else "UP" in green. Note- I need single text value result This is code i wrote till now but still not able to fullfill my requirement

<panel>

<single>

<title>Error Rate</title>

<search>

<query> app_name-abc OR app_name=xyz | rex field msg "\"[^\"]*\"\s(?&lt;status&gt;\d+)" | stats count(eval(status&gt;-200 AND status&lt;-300)) as pass count, count(eval(status&gt;-400)) as fail_count by cf_app_name

| eval error rate (fail_count/ (pass_count + fail_count)) 100 | eval label if (error rate &gt; 50, "DOWN", if(error_rate &gt; 5, "ISSUE", "UP")) | eval error rate round(error_rate, 2) "X" rename error_rate AS "Error_rate(percent)" | stats count(eval(label="DOWN")) as down_count, count(eval (label-"ISSUE")) as issue count, count(eval (label-"UP")) as up_count | rangemap field-issue_count low-0-0 high-2-99 default-low | eval Status-case(down_count &gt;-1, "DOWN", down_count=0 AND issue_count&gt;-1, "ISSUE", 1--1, "UP") </query>

<sampleRatio>1</sampleRatio>

</search>

<option name="drilldown">none</option>

<option name="field">Status</option>

<option name="rangeValues">ISSUE, UP</option> <option name="rangeColors">orange, green</option>

<option name="drilldown">none</option>

<option name="field"> Status</option>

<option name="drilldown">none</option>

</single>

</panel>

tscroggins · ‎02-10-2024

Hi @tonishantsms,

The functionality is deprecated, but the single value visualization still supports automatic color-coding using rangemap and the range values severe (red), high (orange), elevated (yellow), guarded (blue), and low (green). You can take advantage of this functionality by combining the rangemap and chart commands with a trellised single value visualization:

| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name

You can technically use any method to generate a field named range with the correct values. To use trellis, though, you must use chart, timechart, xyseries, etc. to add hidden field metadata required by the visualization code.

<dashboard version="1.1" theme="light">
  <label>tonishantsms_single</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
      </single>
    </panel>
  </row>
</dashboard>

Older documentation is still available through archive.org, e.g. https://web.archive.org/web/20150831233457/http://docs.splunk.com/Documentation/Splunk/latest/Search..., but Splunk may remove the functionality in a future release.

Splunk Dashboard to Monitor Error Rates labels (Down, slow,up) across Multiple Applications

single value

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?