Dashboards & Visualizations

Splunk Dashboard to Monitor Error Rates labels (Down, slow,up) across Multiple Applications

tonishantsms
Observer

I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orange; else "UP" in Green. 2- After label column done then needs to create new widget with single value and check the all the labels (DOWN, ISSUE, UP) if any (at least one) APIs in Error Rate is "DOWN", show "DOWN" in red; If any APIs in Error Rate is "ISSUE", show "ISSUE" in orange; else "UP" in green. Note- I need single text value result This is code i wrote till now but still not able to fullfill my requirement

 

<panel>

<single>

<title>Error Rate</title>

<search>

<query> app_name-abc OR app_name=xyz | rex field msg "\"[^\"]*\"\s(?&lt;status&gt;\d+)" | stats count(eval(status&gt;-200 AND status&lt;-300)) as pass count, count(eval(status&gt;-400)) as fail_count by cf_app_name

| eval error rate (fail_count/ (pass_count + fail_count)) 100 | eval label if (error rate &gt; 50, "DOWN", if(error_rate &gt; 5, "ISSUE", "UP")) | eval error rate round(error_rate, 2) "X" rename error_rate AS "Error_rate(percent)" | stats count(eval(label="DOWN")) as down_count, count(eval (label-"ISSUE")) as issue count, count(eval (label-"UP")) as up_count | rangemap field-issue_count low-0-0 high-2-99 default-low | eval Status-case(down_count &gt;-1, "DOWN", down_count=0 AND issue_count&gt;-1, "ISSUE", 1--1, "UP") </query>

<sampleRatio>1</sampleRatio>

</search>

<option name="drilldown">none</option>

<option name="field">Status</option>

<option name="rangeValues">ISSUE, UP</option> <option name="rangeColors">orange, green</option>

<option name="drilldown">none</option>

<option name="field"> Status</option>

<option name="drilldown">none</option>

</single>

</panel>

 

 

 

 

 

Labels (1)
0 Karma

tscroggins
Influencer

Hi @tonishantsms,

The functionality is deprecated, but the single value visualization still supports automatic color-coding using rangemap and the range values severe (red), high (orange), elevated (yellow), guarded (blue), and low (green). You can take advantage of this functionality by combining the rangemap and chart commands with a trellised single value visualization:

| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name

You can technically use any method to generate a field named range with the correct values. To use trellis, though, you must use chart, timechart, xyseries, etc. to add hidden field metadata required by the visualization code.

<dashboard version="1.1" theme="light">
  <label>tonishantsms_single</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
      </single>
    </panel>
  </row>
</dashboard>

tscroggins_0-1707584202813.png

Older documentation is still available through archive.org, e.g. https://web.archive.org/web/20150831233457/http://docs.splunk.com/Documentation/Splunk/latest/Search..., but Splunk may remove the functionality in a future release.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...