Installation

Dynamic gauge range not accepting subsearch

mdsnmss
SplunkTrust
SplunkTrust

I am trying to get a gauge that monitors license usage with a dynamic range dependent on the license stack size. The complete search is:

index=_internal source=*license_usage.log type="Usage"    | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | bin _time span=1d    | stats sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | fields _time, indexname, sourcetypename, GB | search indexname=* sourcetypename=* | stats sum(GB) as SUM by _time | stats avg(SUM) as avg | gauge avg [search rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota | stats max(stack_quota) as total | eval license=round(total/1024/1024/1024,3) | eval first=0 | eval second=license*0.9 | eval third=round(license,0) | eval range=first+" "+second+" "+third | return $range]

This will return the average license usage over the specified time period for whatever indexname/sourcetypename you specify. What I want is a gauge that will find the license pool size to set it's limits. Using the below search on its own I am able to return the desired ranges:

| rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota | stats max(stack_quota) as total | eval license=round(total/1024/1024/1024,3) | eval first=0 | eval second=license*0.9 | eval third=round(license,0) | eval range=first+" "+second+" "+third | return $range

This appears to be how it was done in a similar answer at https://answers.splunk.com/answers/58085/gauges-with-dynamic-ranges.html but it doesn't seem to be applying for me.

Labels (1)
0 Karma
1 Solution

mdsnmss
SplunkTrust
SplunkTrust

I ended up finding a simpler option. Since I was using index=_internal source=*license_usage.log type="Usage"as part of my base search it has pool information I was looking for already in it. I was able to create the dynamic gauge range without setting tokens using the full search:

index=_internal source=*license_usage.log type="Usage"    | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | bin _time span=1d    | stats values(poolsz) as poolsz sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | eval pool=(poolsz/1024/1024/1024) | fields _time, indexname, sourcetypename, GB, pool | search indexname=* sourcetypename=* | fields _time, indexname, sourcetypename, GB, pool | stats values(pool) as pool sum(GB) as GB | gauge GB 0 pool

View solution in original post

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

I ended up finding a simpler option. Since I was using index=_internal source=*license_usage.log type="Usage"as part of my base search it has pool information I was looking for already in it. I was able to create the dynamic gauge range without setting tokens using the full search:

index=_internal source=*license_usage.log type="Usage"    | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   | eval sourcetypename = st   | bin _time span=1d    | stats values(poolsz) as poolsz sum(b) as b by _time, pool, indexname, sourcetypename | eval GB=(b/1024/1024/1024)  | eval pool=(poolsz/1024/1024/1024) | fields _time, indexname, sourcetypename, GB, pool | search indexname=* sourcetypename=* | fields _time, indexname, sourcetypename, GB, pool | stats values(pool) as pool sum(GB) as GB | gauge GB 0 pool
0 Karma

niketn
Legend

@mdsnmss... Can you try an option based on my recent answer? https://answers.splunk.com/answers/519253/how-to-create-a-dynamic-gauge-visualization-with-s.html

In your case following becomes your base search to set the required gauge ranges as a token:

| rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota | stats max(stack_quota) as total | eval license=round(total/1024/1024/1024,3) | eval first=0 | eval second=license*0.9 | eval third=round(license,0) | eval range=first+" "+second+" "+third | table range

Then use done search event handler to set the required token

 <preview>
   <condition match="$job.resultCount$==0">
     <set token="Range">0 75 95 100</set>
   </condition>
   <condition>
     <set token="Range">$result.range$</set>
   </condition>
 </preview>

Finally in the query with Gauge visulalization use the token $Range$

 index=_internal source=*license_usage.log type="Usage"    
| eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   
| eval sourcetypename = st   
| bin _time span=1d    
| stats sum(b) as b by _time, pool, indexname, sourcetypename 
| eval GB=(b/1024/1024/1024)  
| fields _time, indexname, sourcetypename, GB 
| search indexname=* sourcetypename=* 
| stats sum(GB) as SUM by _time 
| stats avg(SUM) as avg 
| gauge avg $Range$
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mdsnmss
SplunkTrust
SplunkTrust

That makes sense but I already have a base search to be used in my dashboard. My base search is:

index=_internal source=*license_usage.log type="Usage"    
 | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)   
 | eval sourcetypename = st   
 | bin _time span=1d    
 | stats sum(b) as b by _time, pool, indexname, sourcetypename 
 | eval GB=(b/1024/1024/1024)  
 | fields _time, indexname, sourcetypename, GB 
 | search indexname=$indexname$ sourcetypename=$sourcetypename$ 

I use this base search to drive a variety of visualizations within the same dashboard with the ability for filtering. I am looking for a way to dynamically grab the license pool quota so that the dashboard shows a license cap dependent on the environment it is in. I do know that using the REST search to pull the license pool information will require the app to be installed on the license master in order to get that information. My only other thought is to include a setup.xml and allow the license pool size to be specified there and applied to the dashboards but still have to figure out how to do that part. This method would at least allow the freedom to not have the app installed on the license master. Any other ideas?

0 Karma

niketn
Legend

By base search I meant an independent search to set the token $Range$ to be available in your dashboard. Do not confuse this search to be used for post processing. Just add the following below description for your dashboard.

  <search>
 | rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota | stats max(stack_quota) as total | eval license=round(total/1024/1024/1024,3) | eval first=0 | eval second=license*0.9 | eval third=round(license,0) | eval range=first+" "+second+" "+third | table range
  </search>
  <preview>
    <condition match="$job.resultCount$==0">
      <set token="Range">0 75 95 100</set>
    </condition>
    <condition>
      <set token="Range">$result.range$</set>
    </condition>
  </preview>

Then use the $Range$ value in your panel with Gauge as I had described above. Only thing I have changed is the nested search replaced with $Range$. Please try out and let me know how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...