Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

want to add extra details to the number display

Ashish0405
Path Finder
‎12-16-2024 11:37 PM

Would anyone be able to help me on one more thing please !!! 

I have a Number display dashboard which represent the BGP flap details as # Device_name & #BGP peer IP , however I cannot add the timing when the BGP flap on Number display

Current Query : index="network" %BGP-5 *clip* | rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" | dedup Device_name,src_ip | stats count by Device_name,src_ip,state_to | eval primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F") | eval secondarycolor=primarycolor

Ashish0405_0-1734421057901.png

 

 

Is there something we can add to display flap time in the same number display

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2024 11:50 PM

Hi @Ashish0405 ,

at first you don't need dedup before stats:

index="network" %BGP-5 *clip* 
| rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" 
| stats count by Device_name src_ip state_to 
| eval 
     primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F"),
     secondarycolor=primarycolor

then, what do you mean with flat time? if the time borders of your search, you can use addinfo command (https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Addinfo) that with the info_min_time and info_max_time fields gives you the time borders of your search.

index="network" %BGP-5 *clip* 
| rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" 
| stats count by Device_name src_ip state_to 
| eval 
     primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F"),
     secondarycolor=primarycolor
| addinfo
| table Device_name src_ip state_to count primarycolor secondarycolor info_min_time info_max_time

Ciao.

Giuseppe

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 12:07 AM

Flap time = when one of the peer or you can consider the cable connected to device went down

 

If you see below dashboard we can see the device IP + Flap time , In the other dashboard you can see the Device_name + Device IP, I just want to see all 3 details ( Device name, Device IP & Flap time) in one dashboard,

 

Does it answered your query ? 

Ashish0405_0-1734422730663.png

 

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 12:13 AM

below image should give some clarity,  Currently I have 2 different dashboard and I want single dashboard with all 3 details.

Ashish0405_0-1734423117726.png

 

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 09:59 PM

can anyone help me on it please

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-18-2024 01:45 AM 
| eval Device=Device_name.":".src_ip
| table Device state_to count primarycolor secondarycolor info_min_time info_max_time
Reply

Ashish0405
Path Finder
‎12-18-2024 04:09 AM

Thank you so much, the eval command is magical !!!

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...