Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

want to add extra details to the number display

Ashish0405
Path Finder
‎12-16-2024 11:37 PM

Would anyone be able to help me on one more thing please !!! 

I have a Number display dashboard which represent the BGP flap details as # Device_name & #BGP peer IP , however I cannot add the timing when the BGP flap on Number display

Current Query : index="network" %BGP-5 *clip* | rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" | dedup Device_name,src_ip | stats count by Device_name,src_ip,state_to | eval primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F") | eval secondarycolor=primarycolor

Ashish0405_0-1734421057901.png

 

 

Is there something we can add to display flap time in the same number display

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2024 11:50 PM

Hi @Ashish0405 ,

at first you don't need dedup before stats:

index="network" %BGP-5 *clip* 
| rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" 
| stats count by Device_name src_ip state_to 
| eval 
     primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F"),
     secondarycolor=primarycolor

then, what do you mean with flat time? if the time borders of your search, you can use addinfo command (https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Addinfo) that with the info_min_time and info_max_time fields gives you the time borders of your search.

index="network" %BGP-5 *clip* 
| rex field=_raw "^(?:[^ \n]* ){4}(?P<Device_name>[^:]+)" 
| stats count by Device_name src_ip state_to 
| eval 
     primarycolor=case(state_to="Down", "#D93F3C", state_to="Up", "#31A35F"),
     secondarycolor=primarycolor
| addinfo
| table Device_name src_ip state_to count primarycolor secondarycolor info_min_time info_max_time

Ciao.

Giuseppe

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 12:07 AM

Flap time = when one of the peer or you can consider the cable connected to device went down

 

If you see below dashboard we can see the device IP + Flap time , In the other dashboard you can see the Device_name + Device IP, I just want to see all 3 details ( Device name, Device IP & Flap time) in one dashboard,

 

Does it answered your query ? 

Ashish0405_0-1734422730663.png

 

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 12:13 AM

below image should give some clarity,  Currently I have 2 different dashboard and I want single dashboard with all 3 details.

Ashish0405_0-1734423117726.png

 

0 Karma
Reply

Ashish0405
Path Finder
‎12-17-2024 09:59 PM

can anyone help me on it please

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-18-2024 01:45 AM 
| eval Device=Device_name.":".src_ip
| table Device state_to count primarycolor secondarycolor info_min_time info_max_time
Reply

Ashish0405
Path Finder
‎12-18-2024 04:09 AM

Thank you so much, the eval command is magical !!!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...