Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Live count in radial gauge

vidda42
Explorer
‎12-21-2012 01:55 AM

Hi all !

Just can't figure out how to get this work.
I am searching for firewall drops in my indexed logs, so I currently have this search : action="drop".
I would like to have the drop-rate (per second) of all the firewalls and display it on a radial gauge.

Can anyone help me with that...?

Thanx !

David

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vidda42
Explorer
‎12-21-2012 12:51 PM

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

View solution in original post

Reply
Solved! Jump to solution
Solution

vidda42
Explorer
‎12-21-2012 12:51 PM

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...