Solved: creating a single line visualization with multiple...

carlyleadmin · ‎02-23-2018

Hi,

i have a search that brings up failed and successful jobs.i want to create a single line visualization where i can show the count of both failed and successful jobs on a screen.is it possible.what i am looking is something similar to the attachment below.is that something hard to create?

and this is my search results

so i want to have number and on the bottom it would say Total Failed DIU and right next to it the sucessful ones with number on top and it says successful DIU at the bottom

Thanks

elliotproebstel · ‎02-23-2018

To make such a display, create a new dashboard. To create a Single Value visualization: Select Edit > Add Panel > New > Single Value.

For the first box, you'll enter into the box Search String the search that you're using now and add to the end of it:

| fields "Total DIU"

Select Add to Dashboard. Locate the panel that's just been added, and click on Format Visualization (looks like a little paintbrush). In the General section, enter "Total Failed DIU" into the Caption box.

Repeat all of the above for the second box, but into the Search String, you will instead append:

| fields "Successful DIU"

And into the Caption box, you'll also enter "Successful DIU". To put the two items side by side, put your mouse over the bar at the top of the visualization so that your mouse icon changes to a four-way arrow. Click and drag the item where you'd like it to be (next to the other item).

View solution in original post

elliotproebstel · ‎02-23-2018

To make such a display, create a new dashboard. To create a Single Value visualization: Select Edit > Add Panel > New > Single Value.

For the first box, you'll enter into the box Search String the search that you're using now and add to the end of it:

| fields "Total DIU"

Select Add to Dashboard. Locate the panel that's just been added, and click on Format Visualization (looks like a little paintbrush). In the General section, enter "Total Failed DIU" into the Caption box.

Repeat all of the above for the second box, but into the Search String, you will instead append:

| fields "Successful DIU"

And into the Caption box, you'll also enter "Successful DIU". To put the two items side by side, put your mouse over the bar at the top of the visualization so that your mouse icon changes to a four-way arrow. Click and drag the item where you'd like it to be (next to the other item).

carlyleadmin · ‎02-26-2018

Thanks for the reply Elliotproebstel this is good but i was hoping to get one panel with both failed and successful dius are side by side instead of getting 2 panels.i guess i will make this one work.

is there anyway you can help me with coloring?How do i set the number for successful DIUs to green with the text as well?

elliotproebstel · ‎02-26-2018

We can fix that first part, actually. To do so, you'll need to edit the dashboard source code. You'll select Edit and then look for the button at the top left that says Source. Select that, and you'll be in the SimpleXML source code. Right now, you have a section that looks something like this:

  <row>
    <panel>
      <single>
        <search>
          <query>|stats count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>|stats count | eval count=5</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>

If you take out the </panel> tag followed immediately by a <panel> tag between the definitions of the two <single> elements, I think you'll get what you want. So now it will look more like this:

  <row>
    <panel>
      <single>
        <search>
          <query>|stats count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
      <single>
        <search>
          <query>|stats count | eval count=5</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>

After making this change, hit save, and verify that you like the change. Either keep it or revert it, and then to set the color of the digit for Successful DIUs, select Edit and then look at the panel displaying Successful DIUs. The Format Visualization option is represented by a paint brush. Select that, and then choose Color. Set Use Colors: Yes. This will suggest a bunch of ranges and corresponding colors. If you only ever want the value to be green, then you'll use the little blue x options to the right of each range to remove ranges until you're down to only two options (that's the minimum). It doesn't matter what the range values are, just set the color for both remaining ranges to the same shade of green, and then close the menu. I don't know of a way in SimpleXML to set the color of the label for this; you will likely need to use CSS.

carlyleadmin · ‎02-26-2018

Thank you so much Elliot i was able to make a single panel.I will work on coloring part.there are alot of resources out there but the problem is that none of them tell you exactly what specific field does.i can use "rangemap" but i don't understand what is what.i found this query that works well but not sure what eval value field does.when i set that value to different number color change.Anyways thanks again

|eval value = 250 | rangemap field=value none=0-99 low=100-199 guarded=200-299 elevated=300-399 high=400-499 severe=500-599 default=none

elliotproebstel · ‎02-26-2018

The excerpt you posted there is creating a field called value and assigning it 250. The rangemap portion of the command is looking at the number stored in the field called value and assigning it a display color based on what range the number falls into. As you observed, when you change the number being stored in value, it will fall into a different range and be displayed in the color associated with that range.
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Rangemap

carlyleadmin · ‎02-27-2018

Thank you Eliot.i am trying to add Time range picker to my visualization but it is not working.any idea why?i have the token and everything but when i change the date nothing is updated in my panels.i edited my panels as well to use the shared time picker in my search string. does timerangepicker work with single value dashboards? what am i missing?Thanks again

index=pas host=lc10apr12pv sourcetype="import" Message="failed to execute"|search Message >0 |table Message,_time|stats count(eval(Message="failed to execute")) AS "Failed DIU" |eval Value = 500| rangemap field=Value none=0-99 low=100-199 guarded=200-299 elevated=300-399 high=400-499 severe=500-599 default=none

carlyleadmin · ‎02-27-2018

Nevermind,i edited in source code and it started working again.Thanks again for all the help

richgalloway · ‎02-23-2018

I believe you need two separate Single Value visualizations to do that.

---
If this reply helps you, Karma would be appreciated.

creating a single line visualization with multiple fields

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms