Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Place indexing volume used today in a single value panel.

appmandan
Path Finder
‎09-27-2011 11:46 AM

I am a total splunk noob (thought I'd throw that out early) I was wondering if there was a way to set up a single value panel to place in a dashboard that displays the indexing volume used for the day. Basically I want to take the information that is displayed under Local server information, Volume used today in manager>licensing.

I have been able to set this up in a chart, using the following search:
index=_internal source=*license_usage.log | eval MB=b/1024/1024 | timechart span=1d sum(MB) by pool

The single value displays "2011-09-22T00:00:00.000-0400" when I try to use the above search to create a single value panel in my dashboard.

Thanks for any help!

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

mfrost8
Builder
‎09-27-2011 01:42 PM

Perhaps things have changed, but last I recall, you could not create those single value widgets using simple XML, but rather had to use Advanced XML for it. I wanted to create the single-value widgets on my early Splunk dashboards and I was disappointed to find that I had to work harder to do it (i.e. learn something about advanced XML to do it).

The module that you'd use in advanced XML is the "SingleValue" module. There's also a nice "UI Examples" on Splunkbase with lots of examples on how to do things. Currently found here. The main page of that app has several single value examples and tells you how to look at the XML code they're based on.

Note that your search command is looking over the past day (i.e. last 24 hours) for results rather than the amount used today. Also, for the single value module, you're going to want to churn out a single value for it so something like

index=_internal source=*license_usage.log earliest=@d | eval MB=b/1024/1024 | stats sum(MB) by pool

should do it. The "@d" will cause the search to "snap" to the nearest day. See documentation on Splunk Time Modifiers here.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

appmandan
Path Finder
‎09-27-2011 09:05 PM

So, I've got this working using the following search string:

index=_internal source=*license_usage.log earliest=-0d@d | eval MB=round(b/1024/1024, 2) | stats sum(MB)

It displays the usage in MB, rounded to 2 decimal places.

I'm now trying to change the panel color using rangemap and am not having success. My search string looks like this:

index=_internal source=*license_usage.log earliest=-0d@d | eval MB=round(b/1024/1024, 2) | stats sum(MB) | rangemap field=sum(MB) low=1-350 elevated=351-400 severe=401-500 default=severe

I have placed the option <option name="classField">range</option> below the title into my xml as instructed by the rangemap search reference found here, but instead of getting a numaric value with a green background, I'm getting the numeric value replaced with the word in the rangemap. Meaning if the numeric sum is 250, instead of the panel being green with 250MB as the value, I get a green panel that says lowMB. You may be right, I may have to use a module to do this, but I seem to be so close. I get the correct numeric value if I leave the rangemap and classfield out of the xml. Any ideas as to what I'm doing wrong?

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

mfrost8
Builder
‎09-27-2011 01:42 PM

Perhaps things have changed, but last I recall, you could not create those single value widgets using simple XML, but rather had to use Advanced XML for it. I wanted to create the single-value widgets on my early Splunk dashboards and I was disappointed to find that I had to work harder to do it (i.e. learn something about advanced XML to do it).

The module that you'd use in advanced XML is the "SingleValue" module. There's also a nice "UI Examples" on Splunkbase with lots of examples on how to do things. Currently found here. The main page of that app has several single value examples and tells you how to look at the XML code they're based on.

Note that your search command is looking over the past day (i.e. last 24 hours) for results rather than the amount used today. Also, for the single value module, you're going to want to churn out a single value for it so something like

index=_internal source=*license_usage.log earliest=@d | eval MB=b/1024/1024 | stats sum(MB) by pool

should do it. The "@d" will cause the search to "snap" to the nearest day. See documentation on Splunk Time Modifiers here.

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...