I am a total splunk noob (thought I'd throw that out early) I was wondering if there was a way to set up a single value panel to place in a dashboard that displays the indexing volume used for the day. Basically I want to take the information that is displayed under Local server information, Volume used today in manager>licensing.
I have been able to set this up in a chart, using the following search:
index=_internal source=*license_usage.log | eval MB=b/1024/1024 | timechart span=1d sum(MB) by pool
The single value displays "2011-09-22T00:00:00.000-0400" when I try to use the above search to create a single value panel in my dashboard.
Thanks for any help!
 
					
				
		
Perhaps things have changed, but last I recall, you could not create those single value widgets using simple XML, but rather had to use Advanced XML for it. I wanted to create the single-value widgets on my early Splunk dashboards and I was disappointed to find that I had to work harder to do it (i.e. learn something about advanced XML to do it).
The module that you'd use in advanced XML is the "SingleValue" module. There's also a nice "UI Examples" on Splunkbase with lots of examples on how to do things. Currently found here. The main page of that app has several single value examples and tells you how to look at the XML code they're based on.
Note that your search command is looking over the past day (i.e. last 24 hours) for results rather than the amount used today. Also, for the single value module, you're going to want to churn out a single value for it so something like
index=_internal source=*license_usage.log earliest=@d | eval MB=b/1024/1024 | stats sum(MB) by pool
should do it. The "@d" will cause the search to "snap" to the nearest day. See documentation on Splunk Time Modifiers here.
So, I've got this working using the following search string:
index=_internal source=*license_usage.log earliest=-0d@d | eval MB=round(b/1024/1024, 2) | stats sum(MB)
It displays the usage in MB, rounded to 2 decimal places.
I'm now trying to change the panel color using rangemap and am not having success. My search string looks like this:
index=_internal source=*license_usage.log earliest=-0d@d | eval MB=round(b/1024/1024, 2) | stats sum(MB) | rangemap field=sum(MB) low=1-350 elevated=351-400 severe=401-500 default=severe
I have placed the option <option name="classField">range</option> below the title into my xml as instructed by the rangemap search reference found here, but instead of getting a numaric value with a green background, I'm getting the numeric value replaced with the word in the rangemap.  Meaning if the numeric sum is 250, instead of the panel being green with 250MB as the value, I get a green panel that says lowMB.  You may be right, I may have to use a module to do this, but I seem to be so close.  I get the correct numeric value if I leave the rangemap and classfield out of the xml.  Any ideas as to what I'm doing wrong?
Thanks!
 
					
				
		
Perhaps things have changed, but last I recall, you could not create those single value widgets using simple XML, but rather had to use Advanced XML for it. I wanted to create the single-value widgets on my early Splunk dashboards and I was disappointed to find that I had to work harder to do it (i.e. learn something about advanced XML to do it).
The module that you'd use in advanced XML is the "SingleValue" module. There's also a nice "UI Examples" on Splunkbase with lots of examples on how to do things. Currently found here. The main page of that app has several single value examples and tells you how to look at the XML code they're based on.
Note that your search command is looking over the past day (i.e. last 24 hours) for results rather than the amount used today. Also, for the single value module, you're going to want to churn out a single value for it so something like
index=_internal source=*license_usage.log earliest=@d | eval MB=b/1024/1024 | stats sum(MB) by pool
should do it. The "@d" will cause the search to "snap" to the nearest day. See documentation on Splunk Time Modifiers here.
