I created a dashboard for 24 hours and also 10 mins dashboard which I merged to the existing one. I need the dashboard colors to be based on threshhold (last seen 24 hours red, last seen 10 mins green). I know I can enter the color entries by editing XML. I entered it but I am having invalid error message. Please how can I do it in XML edit or maybe Format visualization?
My splunk queries are:
For 24 hour monitoring:
| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)
For 10 mins monitoring:
| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)
<dashboard>
<label>24 HOUR LOG FEED MONITOR</label>
<description>Log feed monitor for 24 hour monitoring</description>
<row>
<panel>
<title>24_hour_log_feed_monitor</title>
<table>
<search>
<query>| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)</query>
<earliest>-24h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<format type="color" field="minutesago">
<colorPalette type="list">[#53A051,#F8BE34,#DC4E41]</colorPalette>
<scale type="threshold">10,1440</scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>10 MINUTES LOG FEED MONITOR</title>
<table>
<search>
<query>| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)</query>
<earliest>-10m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="minutesago">
<colorPalette type="list">[#FF000,#F8BE34,#DC4E41]</colorPalette>
<scale type="threshold">1,10</scale>
</format>
</table>
</panel>
</row>
</dashboard>
Please share your dashboard XML
Please see below:
<dashboard>
<label>24 HOUR LOG FEED MONITOR</label>
<description>Log feed monitor for 24 hour monitoring</description>
<row>
<panel>
<title>24_hour_log_feed_monitor</title>
<table>
<search>
<query>| tstats latest(_time) as latest where index=* earliest=-48h by host
| eval minutesago=round((now()-latest)/60,0)</query>
<earliest>-24h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<format type="color" field="minutesago">
<colorPalette type="list">[#53A051,#F8BE34,#DC4E41]</colorPalette>
<scale type="threshold">10,1440</scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>10 MINUTES LOG FEED MONITOR</title>
<table>
<search>
<query>| tstats latest(_time) as latest where index=* earliest=-10m by host
| eval minutesago=round((now()-latest)/60,0)</query>
<earliest>-10m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="minutesago">
<colorPalette type="list">[#FF000,#F8BE34,#DC4E41]</colorPalette>
<scale type="threshold">1,10</scale>
</format>
</table>
</panel>
</row>
</dashboard>
Thanks. I believe the color is now working. I will keep you updated.