Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I show the dispatch directory limit warning in a dashboard?

apurva1707
New Member
‎03-31-2016 08:57 PM

I need to make a dashboard wherein I have to show if the dispatch directory exceeds it limit. what would be the query for that ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

snoobzilla
Builder
‎04-03-2016 10:24 AM

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

snoobzilla
Builder
‎04-03-2016 10:24 AM

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Reply
Solved! Jump to solution

apurva1707
New Member
‎04-04-2016 05:12 AM

Thank you that helps.. 🙂

0 Karma
Reply
Solved! Jump to solution

apurva1707
New Member
‎04-04-2016 12:26 AM

Thank you. I am not sure if this solves my purpose. If the dispatch_dir_warning_size = 2000, I need to display the warning when the dispatch directory reaches its limit, say 1900. All this in a dashboard.

0 Karma
Reply
Solved! Jump to solution

snoobzilla
Builder
‎04-04-2016 04:30 AM

That is the source for a dashboard. If you make a dashboard, edit source and paste that in you will have a few different panels.

First panel is Jobs thermometer based on query | rest /services/search/jobs | stats count

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...