Splunk Search

Live count in radial gauge

vidda42
Explorer

Hi all !

Just can't figure out how to get this work.
I am searching for firewall drops in my indexed logs, so I currently have this search : action="drop".
I would like to have the drop-rate (per second) of all the firewalls and display it on a radial gauge.

Can anyone help me with that...?

Thanx !

David

Tags (1)
0 Karma
1 Solution

vidda42
Explorer

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

View solution in original post

vidda42
Explorer

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...