- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Overview Dashboard Summarize Errors
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Overview Dashboard Summarize Errors
Hello,
I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview Dashboard" traffic light indication style.
If one error would be shown in a detailed dashboard, I woud like to have the traffic light at the overview dashboard turn red with the option to have the drilldown link to the ´detailed dasboard where the error was found.
Any good ideas how one would build something like that? I've one solution, but it seems to be complicated. I would leverage scheduled searches which write into different lookups.
The overview dashboard could read from those lookups and search for error codes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light.
So, at a high level - define what those KPI's, metrics, or Log_levels might look like and create your search’s
Simple example
Summary Dashboard for my LOG_LEVELS
ERROR_MESSAGES = index=_internal log_level=ERROR NOT debug source=*splunkd.log* | timechart count
WARNING_MESSAGES = index=_internal log_level=WARN NOT debug source=*splunkd.log* | timechart count
INFO_MESSAGES = index=_internal log_level=INFO NOT debug source=*splunkd.log* | timechart count
Based on the above example log counts, you could use the Single Value Element with a trend indicator/colour and use the timechart command count for various values you want to see and have a link to your detailed dashboards.
Have a look here first and see if this is what you might want to do
https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/DashStudio/chartsSV
You can also download the old Splunk dashboard examples app, this also shows you how can do this for the single value element and many other examples.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer deepakc,
but that is not correct. I do not want to have a simple KPI Dashboard.
Each detailed (sub) dashboard, has custom query's which I don't want to run automatically twice, once in the detailed board and once on the summary board.
Maybe an simple example makes my question more clear:
App1-Dashboard:
- 10 different custom query's which will show 10 different traffic light style of indication
App2-Dashboard:
- 50 different custom query's which will show 50 different traffic light style of indication
App3-Dashboard:
- 15 different custom query's which will show 15 different traffic light style of indication
The logs are not simply evaluated based on log-level, rather based on specific string combinations.
Instead of looking to each of my three dashboards one by one, I would like to have a "Summary Dashboard" which only includes three traffic lights. One for each mentioned app above. If e.g. App2-Dashboard has one of 50 traffic light warnings, I would like to see the traffic light of App2 in my "Summary Dashboard" indicate yellow or red to make sure I'm aware of any problem in App2.
I do not want to have all custom query's run in the Summary Dashboard and on each App Dashboard.
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
