Hi,
I'm trying to make a dashboard element that shows when one of our applications is restarted. So I have a query that searches for "Starting Application". When I put this on my dashboard, I see the columns "i", timestamp, event. How can I add column that shows the kubernetes_container_name? And how can I change column width and trim the original text so I get no line breaks?
thanks for your help
So I misread your OP, but the general theme still applies. Use the table command to tell Splunk which columns to display in a table. In this case,
index=foo ```Always specify an index``` "Starting Application" kubernetes_cluster="prod-cluster"
| table time kubernetes_container_name log message
in an attempt to be a bit clearer about what I'm looking for. I'm looking for something like this:
| time | kubernetes_container_name | log message |
| 2021-09-11 21:05:15.590 | contract-mgmt | 2021-09-11 21:05:15.590 INFO 7 --- [ main] c.e.h.base.Application : Starting Application v2.3.0 using Java 11.0.10 |
| 2021-09-10 20:05:15.590 | base-data-mgmt | 2021-09-10 20:05:15.590 INFO 7 --- [ main] c.e.h.contract.Application : Starting Application v1.4.0 using Java 11.0.10 |
So I misread your OP, but the general theme still applies. Use the table command to tell Splunk which columns to display in a table. In this case,
index=foo ```Always specify an index``` "Starting Application" kubernetes_cluster="prod-cluster"
| table time kubernetes_container_name log message
thanks, I got a step further.
When I use the search as you described, I can now see the kubernetes_container_name as a column, but the columns time, log and message are empty. How can I fix that?
The example query expects the fields to be present in the index, but I don't know the contents of your index so the field names may not be exactly right. Adjust the query to match your index or add eval statements as needed to calculate the desired fields.
I guess we're already off-topic here. I have absolutley no clue what an index is and how I can find out which fields are in the index. I guess I'll have to study the query stuff more.
https://www.splunk.com/en_us/training/courses/intro-to-splunk.html
https://www.splunk.com/en_us/training/courses/using-fields.html
sorry, I thought I had posted it. The query looks like this:
"Starting Application" kubernetes_cluster="prod-cluster"
and I don't understand what you are referring to as "that column" in your answer. I want the kubernetes_container_name field as a column.
It would help if you shared the query the dashboard uses.
The table command specifies the columns the dashboard should display. If it includes "Starting Application" then that column will be present even if the search does not find it.