Solved: adding columns to dashboard queries

drabbit · ‎09-16-2021

Hi,

I'm trying to make a dashboard element that shows when one of our applications is restarted. So I have a query that searches for "Starting Application". When I put this on my dashboard, I see the columns "i", timestamp, event. How can I add column that shows the kubernetes_container_name? And how can I change column width and trim the original text so I get no line breaks?

thanks for your help

richgalloway · ‎09-17-2021

So I misread your OP, but the general theme still applies. Use the table command to tell Splunk which columns to display in a table. In this case,

index=foo ```Always specify an index``` "Starting Application" kubernetes_cluster="prod-cluster"
| table time kubernetes_container_name log message

---
If this reply helps you, Karma would be appreciated.

View solution in original post

drabbit · ‎09-17-2021

in an attempt to be a bit clearer about what I'm looking for. I'm looking for something like this:

| time | kubernetes_container_name | log message |

| 2021-09-11 21:05:15.590 | contract-mgmt | 2021-09-11 21:05:15.590 INFO 7 --- [ main] c.e.h.base.Application : Starting Application v2.3.0 using Java 11.0.10 |

| 2021-09-10 20:05:15.590 | base-data-mgmt | 2021-09-10 20:05:15.590 INFO 7 --- [ main] c.e.h.contract.Application : Starting Application v1.4.0 using Java 11.0.10 |

richgalloway · ‎09-17-2021

So I misread your OP, but the general theme still applies. Use the table command to tell Splunk which columns to display in a table. In this case,

index=foo ```Always specify an index``` "Starting Application" kubernetes_cluster="prod-cluster"
| table time kubernetes_container_name log message

---
If this reply helps you, Karma would be appreciated.

drabbit · ‎09-20-2021

thanks, I got a step further.

When I use the search as you described, I can now see the kubernetes_container_name as a column, but the columns time, log and message are empty. How can I fix that?

richgalloway · ‎09-20-2021

The example query expects the fields to be present in the index, but I don't know the contents of your index so the field names may not be exactly right. Adjust the query to match your index or add eval statements as needed to calculate the desired fields.

---
If this reply helps you, Karma would be appreciated.

drabbit · ‎09-20-2021

I guess we're already off-topic here. I have absolutley no clue what an index is and how I can find out which fields are in the index. I guess I'll have to study the query stuff more.

richgalloway · ‎09-20-2021

https://www.splunk.com/en_us/training/courses/intro-to-splunk.html

https://www.splunk.com/en_us/training/courses/using-fields.html

---
If this reply helps you, Karma would be appreciated.

drabbit · ‎09-17-2021

sorry, I thought I had posted it. The query looks like this:

"Starting Application" kubernetes_cluster="prod-cluster"

and I don't understand what you are referring to as "that column" in your answer. I want the kubernetes_container_name field as a column.

richgalloway · ‎09-16-2021

It would help if you shared the query the dashboard uses.

The table command specifies the columns the dashboard should display. If it includes "Starting Application" then that column will be present even if the search does not find it.

---
If this reply helps you, Karma would be appreciated.

adding columns to dashboard queries

panel

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!