Splunk Search

Live count in radial gauge

vidda42
Explorer

Hi all !

Just can't figure out how to get this work.
I am searching for firewall drops in my indexed logs, so I currently have this search : action="drop".
I would like to have the drop-rate (per second) of all the firewalls and display it on a radial gauge.

Can anyone help me with that...?

Thanx !

David

Tags (1)
0 Karma
1 Solution

vidda42
Explorer

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

View solution in original post

vidda42
Explorer

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...