Hi all !
Just can't figure out how to get this work.
I am searching for firewall drops in my indexed logs, so I currently have this search : action="drop".
I would like to have the drop-rate (per second) of all the firewalls and display it on a radial gauge.
Can anyone help me with that...?
Thanx !
David
Hi again all !
I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).
But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.
To do this, you have to " | tail 1" your search.
Sum-up:
If you need a 'live' line or area chart :
action="drop" | timechart span=1s count
If you need a 'live' gauge (radial, meter, filler) counter :
action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1
Enjoy now !
David
Hi again all !
I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).
But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.
To do this, you have to " | tail 1" your search.
Sum-up:
If you need a 'live' line or area chart :
action="drop" | timechart span=1s count
If you need a 'live' gauge (radial, meter, filler) counter :
action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1
Enjoy now !
David