Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

adding columns to dashboard queries

drabbit
Explorer
‎09-16-2021 08:13 AM

Hi,

I'm trying to make a dashboard element that shows when one of our applications is restarted. So I have  a query that searches for "Starting Application". When I put this on my dashboard, I see the columns "i", timestamp, event. How can I add column that shows the kubernetes_container_name? And how can I change column width and trim the original text so I get no line breaks?

thanks for your help

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-17-2021 06:08 AM

So I misread your OP, but the general theme still applies.  Use the table command to tell Splunk which columns to display in a table.  In this case,

index=foo ```Always specify an index``` "Starting Application" kubernetes_cluster="prod-cluster"
| table time kubernetes_container_name log message
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

drabbit
Explorer
‎09-17-2021 04:53 AM

in an attempt to be a bit clearer about what I'm looking for. I'm looking for something like this:

 

| time | kubernetes_container_name | log message |

| 2021-09-11 21:05:15.590 | contract-mgmt | 2021-09-11 21:05:15.590 INFO 7 --- [ main] c.e.h.base.Application : Starting Application v2.3.0 using Java 11.0.10 |

| 2021-09-10 20:05:15.590 | base-data-mgmt | 2021-09-10 20:05:15.590 INFO 7 --- [ main] c.e.h.contract.Application : Starting Application v1.4.0 using Java 11.0.10 |

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-17-2021 06:08 AM

So I misread your OP, but the general theme still applies.  Use the table command to tell Splunk which columns to display in a table.  In this case,

index=foo ```Always specify an index``` "Starting Application" kubernetes_cluster="prod-cluster"
| table time kubernetes_container_name log message
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

drabbit
Explorer
‎09-20-2021 01:33 AM

thanks, I got a step further.

When I use the search as you described, I can now see the kubernetes_container_name as a column, but the columns time, log and message are empty. How can I fix that?

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2021 05:40 AM

The example query expects the fields to be present in the index, but I don't know the contents of your index so the field names may not be exactly right.  Adjust the query to match your index or add eval statements as needed to calculate the desired fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

drabbit
Explorer
‎09-20-2021 05:47 AM

I guess we're already off-topic here. I have absolutley no clue what an index is and how I can find out which fields are in the index. I guess I'll have to study the query stuff more.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2021 05:58 AM

https://www.splunk.com/en_us/training/courses/intro-to-splunk.html

https://www.splunk.com/en_us/training/courses/using-fields.html

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

drabbit
Explorer
‎09-17-2021 04:45 AM

sorry, I thought I had posted it. The query looks like this:

"Starting Application" kubernetes_cluster="prod-cluster"

and I don't understand what you are referring to as "that column" in your answer. I want the kubernetes_container_name field as a column.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-16-2021 10:24 AM

It would help if you shared the query the dashboard uses.

The table command specifies the columns the dashboard should display.  If it includes "Starting Application" then that column will be present even if the search does not find it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...