Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I show the dispatch directory limit warning in a dashboard?

apurva1707
New Member
‎03-31-2016 08:57 PM

I need to make a dashboard wherein I have to show if the dispatch directory exceeds it limit. what would be the query for that ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

snoobzilla
Builder
‎04-03-2016 10:24 AM

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

snoobzilla
Builder
‎04-03-2016 10:24 AM

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Reply
Solved! Jump to solution

apurva1707
New Member
‎04-04-2016 05:12 AM

Thank you that helps.. 🙂

0 Karma
Reply
Solved! Jump to solution

apurva1707
New Member
‎04-04-2016 12:26 AM

Thank you. I am not sure if this solves my purpose. If the dispatch_dir_warning_size = 2000, I need to display the warning when the dispatch directory reaches its limit, say 1900. All this in a dashboard.

0 Karma
Reply
Solved! Jump to solution

snoobzilla
Builder
‎04-04-2016 04:30 AM

That is the source for a dashboard. If you make a dashboard, edit source and paste that in you will have a few different panels.

First panel is Jobs thermometer based on query | rest /services/search/jobs | stats count

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top