Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering of a particular value out of the Dashboard.

jerinvarghese
Communicator
‎03-26-2020 02:09 AM

I have one more issue which am facing.

 index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" "WANRT*"
 | rex field=eventuei "uei.opennms.org/nodes/node(?<bgpPeerState>.+)"
 | eval Status=case(bgpPeerState=="Up", "UP", bgpPeerState=="Down", "DOWN", 1=1, "Other")
  | rename _time as Time_CST
   | fieldformat Time_CST=strftime(Time_CST,"%x %X")
 | dedup nodelabel sortby - Time_CST 
 | table nodelabel Status  Time_CST

Output:

 nodelabel    Status    Time_CST
 NZSKB    DOWN    03/24/20 10:33:33
 GQPCW    DOWN    03/24/20 10:30:15
 EGSUM    UP    03/24/20 10:19:39
 GQHAN    DOWN    03/24/20 10:16:57
 FJVUD    UP    03/24/20 10:05:20
 PGPKC    UP    03/24/20 09:58:09

is it possible to only display DOWN CASES in the dashboard

I tried with 

| where =="DOWN"

But it converted the whole UP's as DOWN.

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-26-2020 03:52 AM 
....
| rex field=eventuei "uei.opennms.org/nodes/node(?<bgpPeerState>.+)"
| stats max(_time) as Time_CST latest(bgpPeerState) as Status by nodelabel
| where Status="DOWN"
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| sort- Time_CST 
| table nodelabel Status  Time_CST
0 Karma
Reply

niketn
Legend
‎03-26-2020 02:30 AM

Did you try | where Status="DOWN"? or the one that you have posted which seems incorrect?

Also why not filter only Down event while fetching from index? Are you interested in latest node status which are down?

What is the purpose of dedup and why not apply after fetching required fields from index as that is the only dataset reduction your are performing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

jerinvarghese
Communicator
‎03-26-2020 02:56 AM

Hi,

Sorry it was a typo..I was using 

 | where Status=="DOWN"

There are cases were some of my devices comes UP and some wont.
AM interested in those devices which are not coming UP.

Once I dont the eval statement, I will get which has the UP and DOWN status.

| eval Status=case(bgpPeerState=="Up", "UP", bgpPeerState=="Down", "DOWN", 1=1, "Other")

from this I was only those are DOWN.

If am only searching for DOWN events. then those devices which are UP now has a DOWN event previously. so i cant filter with only down event from index.

Dedup am using is for filtering only those device with latest status. Because the same device go UP and DOWN multiple times. I want only those are DOWN at the moment.and remove those which came an UP event.

Hope this explains my logic

0 Karma
Reply

jerinvarghese
Communicator
‎03-26-2020 02:22 AM 
| where Status=="DOWN"
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...