Flow Map Viz change labels and use Icons

nathanluke86 · ‎10-25-2019

Could someone help with the following questions:

I would like to expand on my map for http traffic.

I can't seem to workout how to use icons and would like to change labels from good/warn/error to success/redirection/client error and maybe add an extra label for server error (Green/orange/red/blue particles)

I have tried using lookups but from the documentation I don't really understand how to accomplish this. I would be really helpful to see some example spl that also uses lookups so I can visualise how the two work together

So far my map spl is as follows:

index = iis sourcetype="ms:iis:auto" status=$status$
| chart useother=false usenull=false count over webpage by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good,
,sum(eval(if(like(status,"4%"),count,0))) as error, ,sum(eval(if(like(status,"3%"),count,0))) as warn
,values(eval(if(status=="Port_Description",count,NULL))) as Port_Description by tmp
| eval from="Traffic", to=webpage
| fields from to error warn good

Any help or pointer would be appreciated.

nathanluke86 · ‎11-06-2019

I have managed to do this using the look up provided in the documentaion and by using lookup editor to create the desired format.

Now my dashboard is complete the only issue i have seems to be a bug. When loading the dashboard some icons revert to the standard text box. I am using drop downs which may be causing this issue.

Flow Map Viz change labels and use Icons

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!