Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

single value won't turn green

gnovak
Builder
‎04-02-2012 02:47 PM

I have a dashboard where I have a single value module that contains a search that should make it green if no results are found (meaning all is ok!) , red if results are found (not good!).

At one point I was able to get the module to turn red if a number was present other then 0. However if 0 is present, I would like 0 to be displayed and the single value to be green. So far all I get is "n/a" as the display and the single value is the default gray color.

Anyone see anything out of place here that I'm missing?

<single>
      <searchString>((sourcetype="Cron_SendNotificationEmail") OR 
 (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="*" NOT host="*.bmp2.*" earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P&lt;send_to_email&gt;\S+)\]" max_match=1000 
| rex "(?P&lt;inserting_a_record&gt;Inserting a record.*)" max_match=1000 | search inserting_a_record="*" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | where Delta > 0 | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe</searchString>
      <title>Undelivered Emails: Last Day</title>
      <option name="classField">range</option>
</single>
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gnovak
Builder
‎04-04-2012 12:28 PM

This worked. 

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gnovak
Builder
‎04-04-2012 12:28 PM

This worked. 

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

0 Karma
Reply
Solved! Jump to solution

BobM
Builder
‎04-02-2012 04:36 PM

Your search includes < and > which are not legal the way you have used them in XML so I am surprised you get anything. I recommend you surround your search in a cdata construct (See below). You also have square braces [ and ] in a rex that should be escaped \[ and \].
And also you have "| where Delta > 0" which will filter out any zero values.

<searchstring> <![CDATA[ ((sourcetype="Cron_SendNotificationEmail") OR (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record")) source="" NOT host=".bmp2." earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P<send_to_email>S+)\]" max_match=1000 | rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000 | search inserting_a_record="" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe ]]> </searchstring>

It is also good practice to tell the single value which field you want displaying by adding.

<option name="field">Delta</option>

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎04-03-2012 11:14 AM

I'm going to keep messing around with this to see what i get...

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎04-03-2012 11:08 AM

This search made everything under it blue which means it didn't like it. Also I'm not sure where in my original post you saw < or >. I had them replaced by the xml code representing these symbols. I also tried using the field option before but it did not make a difference.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...