Hello,
I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview Dashboard" traffic light indication style.
If one error would be shown in a detailed dashboard, I woud like to have the traffic light at the overview dashboard turn red with the option to have the drilldown link to the ´detailed dasboard where the error was found.
Any good ideas how one would build something like that? I've one solution, but it seems to be complicated. I would leverage scheduled searches which write into different lookups.
The overview dashboard could read from those lookups and search for error codes.
It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light.
So, at a high level - define what those KPI's, metrics, or Log_levels might look like and create your search’s
Simple example
Summary Dashboard for my LOG_LEVELS
ERROR_MESSAGES = index=_internal log_level=ERROR NOT debug source=*splunkd.log* | timechart count
WARNING_MESSAGES = index=_internal log_level=WARN NOT debug source=*splunkd.log* | timechart count
INFO_MESSAGES = index=_internal log_level=INFO NOT debug source=*splunkd.log* | timechart count
Based on the above example log counts, you could use the Single Value Element with a trend indicator/colour and use the timechart command count for various values you want to see and have a link to your detailed dashboards.
Have a look here first and see if this is what you might want to do
https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/DashStudio/chartsSV
You can also download the old Splunk dashboard examples app, this also shows you how can do this for the single value element and many other examples.
Thank you for your answer deepakc,
but that is not correct. I do not want to have a simple KPI Dashboard.
Each detailed (sub) dashboard, has custom query's which I don't want to run automatically twice, once in the detailed board and once on the summary board.
Maybe an simple example makes my question more clear:
App1-Dashboard:
- 10 different custom query's which will show 10 different traffic light style of indication
App2-Dashboard:
- 50 different custom query's which will show 50 different traffic light style of indication
App3-Dashboard:
- 15 different custom query's which will show 15 different traffic light style of indication
The logs are not simply evaluated based on log-level, rather based on specific string combinations.
Instead of looking to each of my three dashboards one by one, I would like to have a "Summary Dashboard" which only includes three traffic lights. One for each mentioned app above. If e.g. App2-Dashboard has one of 50 traffic light warnings, I would like to see the traffic light of App2 in my "Summary Dashboard" indicate yellow or red to make sure I'm aware of any problem in App2.
I do not want to have all custom query's run in the Summary Dashboard and on each App Dashboard.