Dashboards & Visualizations

remove result from dashboard

coreyf311
Path Finder

We have a dashboard that shows the number of servers that are reporting to splunk. This is to maintain a count, weekly, of whats checked in and what has not. We compare whats in splunk to whats in our "approved server list" and DNS. sometimes they do not match or the list is ahead of the servers checking in to splunk. A group may add 50 servers to the approved list but dont actually stand them up for another 90 days. These kinds of things can make the number skew widley at times. We are looking for a way for users to look at the list of servers for their group that have checked in and be able to mark a device as "false" for ilo's and such or something like that so that it will not count against the overall number. Or even be able to add a time (ie 90 days) so that its notated but it also will not count against the check in numbers. We could put this into a summary index or something?

0 Karma
1 Solution

woodcock
Esteemed Legend

I would create a lookup called something like approved_server_list and then have the search lookup in that list (do use | lookup for this) to see whether it should be included in the report and then also create a workflow action that allows users to add to approved_server_list and also remove from approved_server_list. You may desire to deploy the lookup editor app, too.

View solution in original post

woodcock
Esteemed Legend

I would create a lookup called something like approved_server_list and then have the search lookup in that list (do use | lookup for this) to see whether it should be included in the report and then also create a workflow action that allows users to add to approved_server_list and also remove from approved_server_list. You may desire to deploy the lookup editor app, too.

coreyf311
Path Finder

we create a lookup from the server list....that list is used against the host names that are sending logs to splunk. That part we have down.....can we create a workflow in the dashboard that would remove a specific host from counting against the host checking count?

We can't remove it from the lookup because that gets updated every night anyway via script.......unless some logic would tell it to NOT re-add that host back into the lookup? Maybe create a separate lookup with just the removed hostnames (bad_hostnames), run our nightly script and update good_hostnames and compare the two lookups and only add hostnames that are NOT in the bad_hostnames lookup?

0 Karma

woodcock
Esteemed Legend

You can add a TTL field and then have the nightly update go to another file and then run a splunk search to merge the 2 files and honor the TTL value in the main.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

May be update the "approved server list" (assuming it's added to splunk as lookup table) regularly with which servers are reporting and update your dashboard to ignore servers which are not reporting (some sort of flag is set to true if the servers had internal events coming to Splunk).

0 Karma

coreyf311
Path Finder

It lists ever IP'd device which is not always a device required to send splunk it logs. We just use it to create the lookup to work off of every night. We need to know what servers are reporting and which server are not so they can be looked at. Along with that reporting are false positives in that, an HP cluster with ilo connections that are IP'd and on the server list do not individually report to splunk. In that scenario the percentage is thrown off. The user/group responsible can look at there dashboard and check these non-reporting devices. And an even deeper quesiton, can we add something that allows a user to "temporarily" mark something as not reporting. Some groups could add 50 servers to the list, we do our nightly update to the lookup that then adds these 50 servers to the list and in one night the numbers are WAY down for that groups compliance. They can then mark those servers as "offline" or something for say 30 or 90 days or until the logs start hitting splunk then they are added back into the fold and countad against the reporting numbers.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...