Dashboards & Visualizations

Splunk Dashboard to Monitor Error Rates labels (Down, slow,up) across Multiple Applications

tonishantsms
Observer

I am trying to achieve below requirement 1- Calculate the error rate label for multiple application if Error Rate greater than50%, mark "DOWN" in red; if Error Rate > 5% & <50%, mark "ISSUE" in Orange; else "UP" in Green. 2- After label column done then needs to create new widget with single value and check the all the labels (DOWN, ISSUE, UP) if any (at least one) APIs in Error Rate is "DOWN", show "DOWN" in red; If any APIs in Error Rate is "ISSUE", show "ISSUE" in orange; else "UP" in green. Note- I need single text value result This is code i wrote till now but still not able to fullfill my requirement

 

<panel>

<single>

<title>Error Rate</title>

<search>

<query> app_name-abc OR app_name=xyz | rex field msg "\"[^\"]*\"\s(?&lt;status&gt;\d+)" | stats count(eval(status&gt;-200 AND status&lt;-300)) as pass count, count(eval(status&gt;-400)) as fail_count by cf_app_name

| eval error rate (fail_count/ (pass_count + fail_count)) 100 | eval label if (error rate &gt; 50, "DOWN", if(error_rate &gt; 5, "ISSUE", "UP")) | eval error rate round(error_rate, 2) "X" rename error_rate AS "Error_rate(percent)" | stats count(eval(label="DOWN")) as down_count, count(eval (label-"ISSUE")) as issue count, count(eval (label-"UP")) as up_count | rangemap field-issue_count low-0-0 high-2-99 default-low | eval Status-case(down_count &gt;-1, "DOWN", down_count=0 AND issue_count&gt;-1, "ISSUE", 1--1, "UP") </query>

<sampleRatio>1</sampleRatio>

</search>

<option name="drilldown">none</option>

<option name="field">Status</option>

<option name="rangeValues">ISSUE, UP</option> <option name="rangeColors">orange, green</option>

<option name="drilldown">none</option>

<option name="field"> Status</option>

<option name="drilldown">none</option>

</single>

</panel>

 

 

 

 

 

Labels (1)
0 Karma

tscroggins
Influencer

Hi @tonishantsms,

The functionality is deprecated, but the single value visualization still supports automatic color-coding using rangemap and the range values severe (red), high (orange), elevated (yellow), guarded (blue), and low (green). You can take advantage of this functionality by combining the rangemap and chart commands with a trellised single value visualization:

| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name

You can technically use any method to generate a field named range with the correct values. To use trellis, though, you must use chart, timechart, xyseries, etc. to add hidden field metadata required by the visualization code.

<dashboard version="1.1" theme="light">
  <label>tonishantsms_single</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults format="csv" data="cf_app_name,error_rate
foo,0
bar,6
baz,51"
| rangemap field=error_rate UP=0-5 ISSUE=6-50 default=DOWN
| rename range as status
| rangemap field=error_rate low=0-5 elevated=6-50 default=severe
| chart values(status) as status values(range) as range over cf_app_name</query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
      </single>
    </panel>
  </row>
</dashboard>

tscroggins_0-1707584202813.png

Older documentation is still available through archive.org, e.g. https://web.archive.org/web/20150831233457/http://docs.splunk.com/Documentation/Splunk/latest/Search..., but Splunk may remove the functionality in a future release.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...