Dashboards & Visualizations

Whats the best practice provide data to display current indicators

marcfelden
Explorer

Hi there,
i have a ticketing system which uses a Database to store ticket information.
On a splunk dashboard I want to present current informations about how many open tickets, the escalation status of the tickets, time a ticket spent without someone taking action, etc.

Question:
At the moment I am connecting every minute to the database, getting the data and putting the result in a CSV file to a path that splunk then uses as a lookup input. The file gets overwritten. it works but does not give me any history.

Is there a more elegant way to handle data like this?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you index the CSV instead of treating it as a lookup file you'll have history. You'll have to edit your dashboard to pull only the most recent data, however.

---
If this reply helps you, Karma would be appreciated.
0 Karma

marcfelden
Explorer

Thanks for the quick answer. The problem with that is that it would create tons of dublicates depending on the frequency by which I pull my data. And how can I possibly know which are the "most recent" data? I'm interested in the "best" solution for this problem. As I am using a PHP Script to fetch the data and give it to splunk I can do everything with the data before giving it to splunk.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's the "tons of duplicates" that give you the history you seek. Perhaps your PHP script can extract only new information from the database to help reduce the amount of duplicate data. Find the most recent data using the dedup or stats latest() command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...