Splunk Search

How do I show the dispatch directory limit warning in a dashboard?

apurva1707
New Member

I need to make a dashboard wherein I have to show if the dispatch directory exceeds it limit. what would be the query for that ?

Tags (2)
0 Karma
1 Solution

snoobzilla
Builder

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma

snoobzilla
Builder

There is a Dispatch Directory dashboard in SoS.

I put this one together. Enjoy.

<dashboard>
  <label>Dispatch Directory Analysis</label>
  <row>
    <panel>
      <title>Jobs Thermometer</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | stats count</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">fillerGauge</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.rangeValues">["0","1000","2000","5000"]</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.gaugeColors">[0x84E900,0xFFE800,0xBF3030]</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by App</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.app | stats count by eai:acl.app | sort count desc</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <title>Jobs by User</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner | stats count by eai:acl.owner  | sort count desc</query>
          <earliest>-3d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.axisY2.enabled">undefined</option>
      </chart>
    </panel>
    <panel>
      <title>Distinct Users with Jobs by App Snapshot</title>
      <chart>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app | stats dc(eai:acl.owner) AS Users by eai:acl.app | sort Users desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Summary Stats</title>
      <table>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | stats count AS Jobs sum(isDone) AS Done sum(isFailed) AS Failed sum(isFinalized) AS Finalized sum(isPaused) AS Paused by author eai:acl.owner eai:acl.app  | sort Jobs desc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Failed Jobs Table</title>
        <search>
          <query>| rest /services/search/jobs  | search isFailed=1 | table eai:acl.owner eai:acl.app diskUsage updated messages.error title</query>
          <earliest>1439438400</earliest>
          <latest>1442051915</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Details</title>
      <table>
        <title>Look at search.</title>
        <search>
          <query>| rest /services/search/jobs | fillnull value=MISSING eai:acl.owner eai:acl.app isFailed isDone isFinalized isPaused diskUsage updated title | table updated author eai:acl.owner eai:acl.app isDone isFinalized isFailed isPaused diskUsage title | sort updated desc</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

apurva1707
New Member

Thank you that helps.. 🙂

0 Karma

apurva1707
New Member

Thank you. I am not sure if this solves my purpose. If the dispatch_dir_warning_size = 2000, I need to display the warning when the dispatch directory reaches its limit, say 1900. All this in a dashboard.

0 Karma

snoobzilla
Builder

That is the source for a dashboard. If you make a dashboard, edit source and paste that in you will have a few different panels.

First panel is Jobs thermometer based on query | rest /services/search/jobs | stats count

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...