Dashboards & Visualizations

Splunk colored based on some threshhold (last seen 24 hours red, last seen 10 mins green) for the Dashboard

ngwodo
Path Finder

I created a dashboard for 24 hours and also 10 mins dashboard which I merged to the existing one. I need  the dashboard colors to be based on threshhold (last seen 24 hours red, last seen 10 mins green). I know I can enter the color entries by editing XML. I entered it but I am having invalid error message.  Please how can I do it in XML edit or maybe Format visualization?

 

My splunk queries are: 

For 24 hour monitoring:

| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)

 

For 10 mins monitoring:

| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
Ultra Champion
<dashboard>
  <label>24 HOUR LOG FEED MONITOR</label>
  <description>Log feed monitor for 24 hour monitoring</description>
  <row>
    <panel>
      <title>24_hour_log_feed_monitor</title>
      <table>
        <search>
          <query>| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <format type="color" field="minutesago">
          <colorPalette type="list">[#53A051,#F8BE34,#DC4E41]</colorPalette>
          <scale type="threshold">10,1440</scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>10 MINUTES LOG FEED MONITOR</title>
      <table>
        <search>
          <query>| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)</query>
          <earliest>-10m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="minutesago">
          <colorPalette type="list">[#FF000,#F8BE34,#DC4E41]</colorPalette>
          <scale type="threshold">1,10</scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

ITWhisperer
Ultra Champion

Please share your dashboard XML

0 Karma

ngwodo
Path Finder

Please see below:

 

<dashboard>
  <label>24 HOUR LOG FEED MONITOR</label>
  <description>Log feed monitor for 24 hour monitoring</description>
  <row>
    <panel>
      <title>24_hour_log_feed_monitor</title>
      <table>
        <search>
          <query>| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>10 MINUTES LOG FEED MONITOR</title>
      <table>
        <search>
          <query>| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)</query>
          <earliest>-10m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
       
      </table>
    </panel>
  </row>
</dashboard>
Tags (1)
0 Karma

ITWhisperer
Ultra Champion
<dashboard>
  <label>24 HOUR LOG FEED MONITOR</label>
  <description>Log feed monitor for 24 hour monitoring</description>
  <row>
    <panel>
      <title>24_hour_log_feed_monitor</title>
      <table>
        <search>
          <query>| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <format type="color" field="minutesago">
          <colorPalette type="list">[#53A051,#F8BE34,#DC4E41]</colorPalette>
          <scale type="threshold">10,1440</scale>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>10 MINUTES LOG FEED MONITOR</title>
      <table>
        <search>
          <query>| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)</query>
          <earliest>-10m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="minutesago">
          <colorPalette type="list">[#FF000,#F8BE34,#DC4E41]</colorPalette>
          <scale type="threshold">1,10</scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

ngwodo
Path Finder

Thanks. I believe the color is now working. I will keep you updated.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!