Splunk Search

Overview Dashboard Summarize Errors

mclog
New Member

Hello,

I've a couple of detailed dashboards, all indicating the health status of my systems. Instead of opening each detailed dashboard and looking at every graph, I would like to have one "Overview Dashboard" traffic light indication style. 

If one error would be shown in a detailed dashboard, I woud like to have the traffic light at the overview dashboard turn red with the option to have the drilldown link to the ´detailed dasboard where the error was found.  

Any good ideas how one would build something like that? I've one solution, but it seems to be complicated. I would leverage scheduled searches which write into different lookups. 
The overview dashboard could read from those lookups and search for error codes.

 

Labels (2)
0 Karma

deepakc
Builder

It sounds like you want a Key Performance Indicator Dashboard or summary ERROS level Dashboard that's light. 

So, at a high level - define what those KPI's, metrics, or Log_levels might look like and create your search’s

Simple example

Summary Dashboard for my LOG_LEVELS

ERROR_MESSAGES = index=_internal log_level=ERROR NOT debug source=*splunkd.log* | timechart count

WARNING_MESSAGES = index=_internal log_level=WARN NOT debug source=*splunkd.log* | timechart count

INFO_MESSAGES = index=_internal log_level=INFO NOT debug source=*splunkd.log* | timechart count

 

Based on the above example log counts,  you could use the Single Value Element with a trend indicator/colour and use the timechart command count for various values you want to see and have a link to your detailed dashboards.

Have a look here first and see if this is what you might want to do

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/DashStudio/chartsSV

You can also download the old Splunk dashboard examples app, this also shows you how can do this for the single value element and many other examples.

https://splunkbase.splunk.com/app/1603

0 Karma

mclog
New Member

Thank you for your answer deepakc,

but that is not correct. I do not want to have a simple KPI Dashboard.

Each detailed (sub) dashboard, has custom query's which I don't want to run automatically twice, once in the detailed board and once on the summary board.

Maybe an simple example makes my question more clear:

App1-Dashboard:
- 10 different custom query's which will show 10 different traffic light style of indication
App2-Dashboard:
- 50 different custom query's which will show 50 different traffic light style of indication
App3-Dashboard:
- 15 different custom query's which will show 15 different traffic light style of indication

The logs are not simply evaluated based on log-level, rather based on specific string combinations.

Instead of looking to each of my three dashboards one by one, I would like to have a "Summary Dashboard" which only includes three traffic lights. One for each mentioned app above. If e.g. App2-Dashboard has one of 50 traffic light warnings, I would like to see the traffic light of App2 in my "Summary Dashboard" indicate yellow or red to make sure I'm aware of any problem in App2.

I do not want to have all custom query's run in the Summary Dashboard and on each App Dashboard. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...