Dashboards & Visualizations

How to create a dynamic gauge visualization with subsearches?

droopy4096
New Member

I'm trying to put together the gauge widget that would use different searches to set up the limits and set the needle.
so for example I have base search:

sourcetype=mytype

Now to figure out full range for the gauge here's the search:

sourcetype=mytype status=failed

For the needle position search extends to:

 sourcetype=mytype status=failed AND NOT log{}.message="completed"

to identify non-critical failure rate. Being fairly new to Splunk I'm struggling putting this together. extracting the value from the last search is no problem but default range of 100 is not applicable and range changes dynamically throughout the day.

0 Karma

niketnilay
Legend

@droopy4096 You can use gauge command for defining dynamic range.

Following is the base search you need:

 sourcetype=mytype status=failed AND log{}.message="*"
| stats count as failedTotal count(eval(log{}.message!="completed")) as failedIncomplete

Then set the tokens for failedTotal and failedInComplete as Total and Incomplete using finalized search event handler

<finalized>
  <condition match="$job.resultCount$==0">
    <set token="Total">0</set>
    <set token="Incomplete">0</set>
  </condition>
  <condition>
    <set token="Total">$result.failedTotal$</set>
    <set token="Incomplete">$result.failedIncomplete$</set>
  </condition>
</finalized>

Finally use $Total$ and $Incomplete$ in your search with Radial Gauge visualization to plot $InComplete$ with various ranges

    <panel>
      <title>Failed Incomplete Total</title>
      <chart>
        <search>
          <query>| makeresults
| eval incomplete=$Incomplete$
| eval greenUpper=round($Total$*.70,0)
| eval yellowUpper=round($Total$*.85,0)
| gauge incomplete 0 greenUpper yellowUpper $Total$</query>
        </search>
        <option name="charting.chart">radialGauge</option>
      </chart>
    </panel>

PS: Once you have Failed Incomplete and Failed Total values, instead of plotting actual values, it would make more sense to plot percent in the Radial Gauge for consistency in visualization using approach similar to above.

Refer to the run anywhere example on similar lines that I have posted on the link below:
http://wiki.splunk.com/User_talk:Niketnilay#Topic_3:_Dynamic_Range_for_Gauges:_Example_to_Calculate_...

Image attached for reference from run anywhere search in the example above.alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

droopy4096
New Member

I think I've sorted out query issues:

sourcetype=mytype  status=failed  | stats count as failedTotal, count(eval('log{}.message!="completed"')) as failedComplete

this seems to work.

Now my problem is that I'm not sure what to do about the search handler:

0 Karma

niketnilay
Legend

If you have just one radial gauge. I would make it simple... Just try the following:

     <panel>
       <title>Failed Incomplete Total</title>
       <chart>
         <search>
           <query>sourcetype=mytype status=failed AND log{}.message="*"
 | stats count as Total count(eval(log{}.message!="completed")) as incomplete
 | eval greenUpper=round(Total*.70,0)
 | eval yellowUpper=round(Total*.85,0)
 | gauge incomplete 0 greenUpper yellowUpper Total</query>
         </search>
         <option name="charting.chart">radialGauge</option>
       </chart>
     </panel>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketnilay
Legend

Seems like the preview and finalized were removed from 6.5 (although they still work). Instead use progress or done event handlers which can access $result.<fieldname>$ token. For this example done should be used. Please see updated answer above.

http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#done

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketnilay
Legend

@droopy4096...I have reverted back the event handler to finalized again, seems like although the documentation lists that done event handler has access to $result.<fieldname>$, but it actually does not... So just try preview or finalized instead.

Please try out the example and let me know how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

droopy4096
New Member

will tinker with implementation later - I've got some stuff cobbled together thanks to your pointers, but didn't have time to properly implement it. My first attempt at implementation failed so I've got to look deeper

0 Karma

niketnilay
Legend

Sure @droopy4096... When you get a chance try out and revert back here as to how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...