Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

want to add extra details to the number display

Ashish0405
Path Finder
‎12-16-2024 11:37 PM

Would anyone be able to help me on one more thing please !!! 

I have a Number display dashboard which represent the BGP flap details as # Device_name & #BGP peer IP , however I cannot add the timing when the BGP flap on Number display

Current Query : index="network" %BGP-5 *clip* | rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" | dedup Device_name,src_ip | stats count by Device_name,src_ip,state_to | eval primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F") | eval secondarycolor=primarycolor

Ashish0405_0-1734421057901.png

 

 

Is there something we can add to display flap time in the same number display

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2024 11:50 PM

Hi @Ashish0405 ,

at first you don't need dedup before stats:

index="network" %BGP-5 *clip* 
| rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" 
| stats count by Device_name src_ip state_to 
| eval 
     primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F"),
     secondarycolor=primarycolor

then, what do you mean with flat time? if the time borders of your search, you can use addinfo command (https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Addinfo) that with the info_min_time and info_max_time fields gives you the time borders of your search.

index="network" %BGP-5 *clip* 
| rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" 
| stats count by Device_name src_ip state_to 
| eval 
     primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F"),
     secondarycolor=primarycolor
| addinfo
| table Device_name src_ip state_to count primarycolor secondarycolor info_min_time info_max_time

Ciao.

Giuseppe

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 12:07 AM

Flap time = when one of the peer or you can consider the cable connected to device went down

 

If you see below dashboard we can see the device IP + Flap time , In the other dashboard you can see the Device_name + Device IP, I just want to see all 3 details ( Device name, Device IP & Flap time) in one dashboard,

 

Does it answered your query ? 

Ashish0405_0-1734422730663.png

 

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 12:13 AM

below image should give some clarity,  Currently I have 2 different dashboard and I want single dashboard with all 3 details.

Ashish0405_0-1734423117726.png

 

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 09:59 PM

can anyone help me on it please

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-18-2024 01:45 AM 
| eval Device=Device_name.":".src_ip
| table Device state_to count primarycolor secondarycolor info_min_time info_max_time
Reply

Ashish0405
Path Finder
‎12-18-2024 04:09 AM

Thank you so much, the eval command is magical !!!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...