Splunk Enterprise

Trying to create a basic view showing the count numbers and a green, red dot if out of range

maximusdm
Communicator

hi there, new to Splunk and trying to mimic another splunk View built by a different developer.
here is the code:

<view template="dashboard.html" refresh="120">
  <label>Dashboard</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">True</param>
    <param name="maxSize">1</param>
    <param name="level">error</param> 
  </module>

<module name="HiddenSavedSearch" layoutPanel="panel_row3_col1_grp1" group="Push" autoRun="true">
    <param name="savedSearch">Push Status</param>
    <param name="useHistory">True</param>
    <module name="PostProcess">
      <param name="search">stats sum(evt_status) AS chn_errors by VC 
      | stats count(eval(chn_errors>1)) AS buf_err_channels count(eval(chn_errors>0)) AS err_channels sum(chn_errors) AS error_total 
      | eval error_cnt=if(isnull(error_total),0,error_total) 
      | eval error=if(buf_err_channels > 0  OR  err_channels > 3,1,0) 
      | rangemap field=error default=red green=0-0</param>
      <module name="HTML">
        <param name="html">
          <div class="SplunkModule SingleValue">
          <div class="SingleValueHolder $results[0].range$">
          <span class="singleLabel singleLabelBefore">STB Push</span>
          <span class="singleResult $results[0].range$-val">$results[0].error_cnt$ </span>
          </div>
          <div></div>
          </div>
        </param>  
      </module>
    </module>
</module>
...

alt text
Since I am not using a SavedSearch all I need is to include a basic search returning:
-the count number, label, and a green/red bullet (see image). If count > 1 then display red, otherwise display green.
I tried to change the code above but got so many errors that I though starting from a simple sample would be easier for me.

I just need to display the results of a simple query just like the image attached here.
Any help is appreciated, thank you.

Tags (2)
0 Karma
1 Solution

maximusdm
Communicator

got it to work as follows:

  <module name="HiddenSearch" layoutPanel="panel_row2_col1" group="Triggers" autoRun="true">
    <param name="earliest">@h</param>
    <param name="latest">now</param>
    <param name="search">     
      index=aa_alerts Source="Record Alert" search_name="record_search"
      | stats count(eval(like(Description,"%your string here%"))) AS Count   
      | rangemap field=Count red=1-10000 default=green 
    </param>
    <module name="HTML">
      <param name="loadingText">...</param>
      <param name="html">
        <div class="SplunkModule SingleValue">                        
        <div class="SingleValueHolder $results[0].range$">
        <span class="singleLabel singleLabelBefore">Orders failed to record</span>
        <span class="singleResult">$results[0].Count$ $</span>
        </div>
        <div></div>
        </div>
      </param>
    </module>
  </module>

View solution in original post

0 Karma

maximusdm
Communicator

got it to work as follows:

  <module name="HiddenSearch" layoutPanel="panel_row2_col1" group="Triggers" autoRun="true">
    <param name="earliest">@h</param>
    <param name="latest">now</param>
    <param name="search">     
      index=aa_alerts Source="Record Alert" search_name="record_search"
      | stats count(eval(like(Description,"%your string here%"))) AS Count   
      | rangemap field=Count red=1-10000 default=green 
    </param>
    <module name="HTML">
      <param name="loadingText">...</param>
      <param name="html">
        <div class="SplunkModule SingleValue">                        
        <div class="SingleValueHolder $results[0].range$">
        <span class="singleLabel singleLabelBefore">Orders failed to record</span>
        <span class="singleResult">$results[0].Count$ $</span>
        </div>
        <div></div>
        </div>
      </param>
    </module>
  </module>
0 Karma

niketnilay
Legend

@maximusdm, which version of Splunk are you using? Advanced XML has been officially deprecated since version 6.3. http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/Whatsinthismanual#Advanced_XML_Deprec...

You have multiple ways of achieving above results, however the approaches depends upon the version of Splunk you are using.

(1) You can check out Custom Decorations Example in the Splunk 6.x Dashboard Examples app which uses CSS to display icons based on rangemap in HTML panel. https://splunkbase.splunk.com/app/1603/

(2) Status Indicator Custom Visualization for Splunk 6.5 gives you feasibility to use several icons directly through Splunk query returning results for icon and color based on value (rangemap) to be displayed.
https://splunkbase.splunk.com/app/3119/

(3) Read Topic 1: Image Overlay with Icons Example where I have extended the Image Ovelay with Single Values example from Splunk 6.x Dashboard Examples app to display Icons based on Single Value Range.
http://wiki.splunk.com/User_talk:Niketnilay
PS: Depending on the Splunk Enterprise Version the Search Event Handler may change (Confirm the same using Splunk Search Event Handlers on Splunk Documentation for specific version. http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Search_event_handlers)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

maximusdm
Communicator

we are using version 6.5.2.
I am trying to build a DAshboard which will show about 80 results that is why I need to display all of them in 3 different columns and single lines. I cannot use the single value input element or any other plug-in which takes too much space in the screen. I just wanted to display the label/value and green/red dot. 😞

0 Karma

niketnilay
Legend

@maximusdm, I am glad Advanced XML worked for you.

However, you should also consider HTML panel with use of Background Image, icons and CSS to plot several outputs. Option 1 and Option 3 are not using Single Value visualization (only the name has been used to imply the kind of element being plotted). You should also keep SPL commands like transpose handy so that the results are converted to single row to be picked up by result.<fieldName>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...