Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Create dashboard to show vmware AlarmStatusChanged...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create dashboard to show vmware AlarmStatusChangedEvent until event goes from red to green
I am running index=vmware-taskevent | spath eventClass | search eventClass=AlarmStatusChangedEvent and I want to have my dashboard show only the events that have not changed from red to green.
Here is the raw text:
{"entity": {"entity": {"moid": "host-145895", "type": "HostSystem"}, "name": "cpcdwesx02.na.cintas.com"}, "datacenter": {"datacenter": {"moid": "datacenter-21", "type": "Datacenter"}, "name": "Mason"}, "createdTime": "2020-02-05 21:17:48.765000+00:00", "alarm": {"alarm": {"moid": "alarm-1", "type": "Alarm"}, "name": "Host connection and power state"}, "source": {"entity": {"moid": "group-d1", "type": "Folder"}, "name": "Datacenters"}, "eventClass": "AlarmStatusChangedEvent", "chainId": "-1182388515", "host": {"host": {"moid": "host-145895", "type": "HostSystem"}, "name": "cpcdwesx02.na.cintas.com"}, "to": "green", "computeResource": {"computeResource": {"moid": "domain-s145893", "type": "ComputeResource"}, "name": "cpcdwesx02.na.cintas.com"}, "from": "red", "fullFormattedMessage": "Alarm 'Host connection and power state' on cpcdwesx02.na.cintas.com changed from Red to Green", "userName": "None", "key": "-1182388515"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample:
|makeresults
| eval _raw="{\"entity\": {\"entity\": {\"moid\": \"host-145895\", \"type\": \"HostSystem\"}, \"name\": \"cpcdwesx02.na.cintas.com\"}, \"datacenter\": {\"datacenter\": {\"moid\": \"datacenter-21\", \"type\": \"Datacenter\"}, \"name\": \"Mason\"}, \"createdTime\": \"2020-02-05 21:17:48.765000+00:00\", \"alarm\": {\"alarm\": {\"moid\": \"alarm-1\", \"type\": \"Alarm\"}, \"name\": \"Host connection and power state\"}, \"source\": {\"entity\": {\"moid\": \"group-d1\", \"type\": \"Folder\"}, \"name\": \"Datacenters\"}, \"eventClass\": \"AlarmStatusChangedEvent\", \"chainId\": \"-1182388515\", \"host\": {\"host\": {\"moid\": \"host-145895\", \"type\": \"HostSystem\"}, \"name\": \"cpcdwesx02.na.cintas.com\"}, \"to\": \"green\", \"computeResource\": {\"computeResource\": {\"moid\": \"domain-s145893\", \"type\": \"ComputeResource\"}, \"name\": \"cpcdwesx02.na.cintas.com\"}, \"from\": \"red\", \"fullFormattedMessage\": \"Alarm 'Host connection and power state' on cpcdwesx02.na.cintas.com changed from Red to Green\", \"userName\": \"None\", \"key\": \"-1182388515\"}"
| spath createdTime
| spath eventClass
| spath from
| spath to
| table createdTime eventClass from to
query:
index=vmware-taskevent "AlarmStatusChangedEvent" NOT "changed from Red to Green"
dashboard:
As you like.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
