Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I show the dispatch directory limit warning in a dashboard?

apurva1707
New Member
‎03-31-2016 08:57 PM

I need to make a dashboard wherein I have to show if the dispatch directory exceeds it limit. what would be the query for that ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

snoobzilla
Builder
‎04-03-2016 10:24 AM

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

snoobzilla
Builder
‎04-03-2016 10:24 AM

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Reply
Solved! Jump to solution

apurva1707
New Member
‎04-04-2016 05:12 AM

Thank you that helps.. 🙂

0 Karma
Reply
Solved! Jump to solution

apurva1707
New Member
‎04-04-2016 12:26 AM

Thank you. I am not sure if this solves my purpose. If the dispatch_dir_warning_size = 2000, I need to display the warning when the dispatch directory reaches its limit, say 1900. All this in a dashboard.

0 Karma
Reply
Solved! Jump to solution

snoobzilla
Builder
‎04-04-2016 04:30 AM

That is the source for a dashboard. If you make a dashboard, edit source and paste that in you will have a few different panels.

First panel is Jobs thermometer based on query | rest /services/search/jobs | stats count

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...