Splunk Search

range status

kris99
New Member

how do i use range to display green tick or red cross for the following

index=xx sourcetype="yyy" State!="On"

If 'State' not equal to 'On' display red cross else green tick. I want it to take the latest event to check.

Thanks in advance for your help

Tags (1)
0 Karma
1 Solution

datasearchninja
Communicator

You could:

  • get the latest value using the first() option to stats
  • use eval and if to set a numeric value for State whether it is on and off
  • use rangemap and some custom css to set the icon

    index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
    You will need some custom css to add the icon to the dashboard. Checkout the Splunk 6 Dashboard examples app: https://apps.splunk.com/app/1603/ and the "Single Value Decorations" example.

    Dashboard Panel:


    index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
    -15m
    now
    range
    State
    icon-only


    This will show a green "On", or a red value of "State" until the css is set, when you will get the icons.

View solution in original post

datasearchninja
Communicator

You could:

  • get the latest value using the first() option to stats
  • use eval and if to set a numeric value for State whether it is on and off
  • use rangemap and some custom css to set the icon

    index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
    You will need some custom css to add the icon to the dashboard. Checkout the Splunk 6 Dashboard examples app: https://apps.splunk.com/app/1603/ and the "Single Value Decorations" example.

    Dashboard Panel:


    index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
    -15m
    now
    range
    State
    icon-only


    This will show a green "On", or a red value of "State" until the css is set, when you will get the icons.

kris99
New Member

Based on the above search, how do I join below two searches and return the following within same SingleValue

  • If "ConnectionStatus" is "On" and "Events" is "0" , display "No Errors" with low range

  • If "ConnectionStatus" is "On" and "Events" is greater than "0" , display "Warning" with elevated range

  • If "ConnectionStatus" is NOT "On" and "Events" is greater than "0" , display "Error" with severe range

index=xxx sourcetype="ConnectionStatus" State!="On" |stats first(State) as State | stats count | appendpipe [ stats count | eval Status="Up" | where count==0 ] | eval Status=if(count==0,"Up","Down") | eval range = if(Status=="No Errors","low","severe")

index=yyy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") | stats count | eval StateBool = if (count==0, 0, 1) | eval Status=if(count==0,"No Errors","Warning") | rangemap field=StateBool low=0-0 elevated=1-1 | table Status range

0 Karma

kris99
New Member

how can i rename the wording. . If state = On, Show as "Up" else show "Down"

0 Karma

datasearchninja
Communicator

Just use eval to create the field you need, or to rename the State field:

So change:

index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1

To something like:

index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | eval State = if (State=="On", "Up", "Down") | rangemap field=StateBool low=0-0 severe=1-1
0 Karma

kris99
New Member

tried using the same technique to join multiple searches but getting an error.

What am i doing wrong ?

index=xx sourcetype="ConnectionStatus" State!="On" | stats count(State) as down_count | appendcols [search index=yy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") |stats count | rename count as evt_count] | eval StateBool = if(down_count==0 AND evt_count==0, 0, down_count==0 AND evt_count >0, 1, down_count>0 AND evt_count>0, 2) | eval Status = if(down_count==0 AND evt_count==0,"Ok", down_count==0 AND evt_count>0,"Warning", down_count>0 AND evt_count>0,"Error")| rangemap field=StateBool low=0-0 elevated=1-1 severe=2-2 | table Status range

0 Karma

kris99
New Member

ok thnks.. but how do i use eval

0 Karma

datasearchninja
Communicator

I've edited my original answer with some more detail.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...