Splunk Search

Radial gauge and max value

Splunk Employee
Splunk Employee

Hi
I have a dataset that isn't entirely clean so I first do some trim to get rid of a trailing comma (,).
That didn't help so I tried using stats and gauge as well but no love.
After that I want to calculate the Max, Min and Avg values and display them in a radial gauge.
For some reason, the Max chooses to stop the dial at 100 even though it displays a higher numerical value.
alt text

It is set to "Automatic" in the Format box.
What can I do to get the radial to follow the max value?

0 Karma

I tried above solution. However I am facing problem in case of trellis. I am not able to apply seperate color range scheme for each guage. The values of token $greenLimit$, $yellowLimit$ from 1st row gets applied to all guages. Is there any solution for this?

0 Karma

SplunkTrust
SplunkTrust

This has definitely been asked before. You can apply dynamic color range to Gauge using three steps.

1) Calculate the color range limits using SPL
I have used total as max color limit, green limit at 50% of max and yellow limit at 75% of max. Following is the run anywhere search (PS: The gauge picks up value from the first column so your stats field to be represented on gauge should be first field in the final result table, in this case error count.)

index=_internal sourcetype=splunkd log_level=*
 | stats count(log_level) as total  count(eval(log_level!="INFO")) as error
 | eval greenLimit=round(total*.5,0)
 | eval yellowLimit=round(total*.75,0)
 | table error total greenLimit yellowLimit

Step 2: Add a <progress> or <done> search event handler post Splunk Enterprise 6.5, prior to that they were <preview> and <finalized> respectively). PS: I have created flat ranges with all color limits as 0 in case our SPL returns no results, otherwise it sets the tokens to be applied as gauge range values for colors.

          <done>
            <condition match="$job.resultCount$==0">
              <set token="greenLimit">0</set>
              <set token="yellowLimit">0</set>
              <set token="total">0</set>
            </condition>
            <condition>
              <set token="greenLimit">$result.greenLimit$</set>
              <set token="yellowLimit">$result.yellowLimit$</set>
              <set token="total">$result.total$</set>
            </condition>
          </done>

3) Set the Gauge chart configuration <charting.chart.rangeValues> using dynamic tokens set in previous step

<option name="charting.chart.rangeValues">[0,$greenLimit$,$yellowLimit$,$total$]</option>

PS: Colors have been picked up accordingly:

        <option name="charting.gaugeColors">["0x84E900","0xFFE800","0xBF3030"]</option>

alt text

Following is the run anywhere dashboard illustrating total count of events in Splunk _internal index with gauge depicting the count of errors.

<dashboard>
  <label>Dynamic Range for Gauge</label>
  <row>
    <panel>
      <title>Radial Gauge with Dynamic Color Range</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| stats count(log_level) as total  count(eval(log_level!="INFO")) as error
| eval greenLimit=round(total*.5,0)
| eval yellowLimit=round(total*.75,0)
| table error total greenLimit yellowLimit</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
           <done>
             <condition match="$job.resultCount$==0">
               <set token="error">0</set>
               <set token="greenLimit">0</set>
               <set token="yellowLimit">0</set>
               <set token="total">0</set>
             </condition>
             <condition>
               <set token="error">$result.error$</set>
               <set token="greenLimit">$result.greenLimit$</set>
               <set token="yellowLimit">$result.yellowLimit$</set>
               <set token="total">$result.total$</set>
             </condition>
           </done>
        </search>
        <option name="charting.chart">radialGauge</option>
        <option name="charting.chart.showValue">false</option>
        <option name="charting.chart.rangeValues">[0,$greenLimit$,$yellowLimit$,$total$]</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.gaugeColors">["0x84E900","0xFFE800","0xBF3030"]</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <html>
        <div style="font-size:150%;font-weight:bold;color:#b8b167;top:-300%;left: 49%;position: absolute;">
          $error$
        </div>
      </html>
    </panel>
  </row>
</dashboard>

For getting rid of comma from number beneath Radial Gauge you will have to
1) Either use jQuery Selector to modify the data, since there is no Simple XML Chart Configuration for this.

2) a) Hide Gauge Value from visualization and

        <option name="charting.chart.showValue">false</option>

2 b) Show the Gauge Value using token passed to an HTML panel
PS: You would need to adjust CSS style based on your dashboard if you want HTML panel value to overlap on Gauge):

      <html>
        <div style="font-size:150%;font-weight:bold;color:#b8b167;top:-300%;left: 49%;position: absolute;">
          $error$
        </div>
      </html>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Not sure if this can be done with Trellies layout but it can be done for one single value in single visualization using gauge command. See 2nd answer from this post:

https://answers.splunk.com/answers/58085/gauges-with-dynamic-ranges.html