Splunk Search

Need help in some formatting the result

Ashish0405
Explorer

Hi Team,

I am Firewall engineer and working on creation of some dashboard.

I have created one dashboard whenever our firewall failover the dashboard will show result as "Active" & " Standby" & "Down" in Guage format.

However I would like to set up the dashboard in this way :

1) whenever firewall failover and it is in "down state"  the guage color should be red

2) whenever firewall failover and it is in "Active state"  the guage color should be Green

3) whenever firewall failover and it is in "Standby state"  the guage color should be Amber

Ashish0405_0-1733831914496.png

 

Does anyone know about it and help me with some sample examples to understand

Labels (2)
0 Karma
1 Solution

Ashish0405
Explorer

 

 
 appreciate your help, thank you so much the script works for me

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I'm guessing this is Chris Younger's Number Display Viz - those spinner gauges look familiar

Is this what you're after - this is an example of setting the color field based on the desired colours

| makeresults format=csv data="State_Before,State_After,Cluster_Name
DOWN,STANDBY,Host1
STANDBY,ACTIVE,Host2
STANDBY,DOWN,Host3"
| eval color=case(State_After="DOWN", "#FF0000", State_After="ACTIVE", "#00FF00", State_After="STANDBY", "#FFBF00")
| rename Cluster_Name as value, State_After as title
| table title value color

and you end up with this

bowesmana_0-1733895244486.png

 

Ashish0405
Explorer

 

 
 appreciate your help, thank you so much the script works for me
0 Karma

Ashish0405
Explorer

I am getting below error while using the script is their any mistake in placing the script shared by you ,

 

Previous script : 

-------------------------

index=firewall (origin=10.254.17.* OR origin=10.254.252.* OR origin=10.254.253.*) OR *VGUK* OR *VGBR* OR *VGCY* OR *VGIN* OR *VGRU* OR *VGMY* OR *VGKC* OR *EQX* OR *PDN* OR *VSHW* | search "state change: * -> Down" OR "state change: * -> Standby" OR "state change: * -> Active" | rex field=_raw "^(?:[^:\n]*:){5}\s+(?P<State_before>[^ ]+)\s+\->\s+(?P<State_after>\w+)" | dedup Cluster_name | stats count by host,State_after

Ashish0405_0-1733903324702.png

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The use of makeresults is to show examples of how to use a technique, so what you need is the eval statement that sets the field 'color' based on the values of State_after. Add it after your stats command

| eval color=case(State_after="DOWN", "#FF0000", State_after="ACTIVE", "#00FF00", State_after="STANDBY", "#FFBF00")

 

Ashish0405
Explorer

Thank you !!! it worked !

0 Karma

dural_yyz
Builder

Is this an XML or Studio dashboard example?  What viz are you using? custom vs OOTB?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...