how do i use range to display green tick or red cross for the following
index=xx sourcetype="yyy" State!="On"
If 'State' not equal to 'On' display red cross else green tick. I want it to take the latest event to check.
Thanks in advance for your help
You could:
use rangemap and some custom css to set the icon
index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
You will need some custom css to add the icon to the dashboard. Checkout the Splunk 6 Dashboard examples app: https://apps.splunk.com/app/1603/ and the "Single Value Decorations" example.
Dashboard Panel:
range
State
icon-only
This will show a green "On", or a red value of "State" until the css is set, when you will get the icons.
You could:
use rangemap and some custom css to set the icon
index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
You will need some custom css to add the icon to the dashboard. Checkout the Splunk 6 Dashboard examples app: https://apps.splunk.com/app/1603/ and the "Single Value Decorations" example.
Dashboard Panel:
range
State
icon-only
This will show a green "On", or a red value of "State" until the css is set, when you will get the icons.
Based on the above search, how do I join below two searches and return the following within same SingleValue
If "ConnectionStatus" is "On" and "Events" is "0" , display "No Errors" with low range
If "ConnectionStatus" is "On" and "Events" is greater than "0" , display "Warning" with elevated range
If "ConnectionStatus" is NOT "On" and "Events" is greater than "0" , display "Error" with severe range
index=xxx sourcetype="ConnectionStatus" State!="On" |stats first(State) as State | stats count | appendpipe [ stats count | eval Status="Up" | where count==0 ] | eval Status=if(count==0,"Up","Down") | eval range = if(Status=="No Errors","low","severe")
index=yyy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") | stats count | eval StateBool = if (count==0, 0, 1) | eval Status=if(count==0,"No Errors","Warning") | rangemap field=StateBool low=0-0 elevated=1-1 | table Status range
how can i rename the wording. . If state = On, Show as "Up" else show "Down"
Just use eval to create the field you need, or to rename the State field:
So change:
index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | rangemap field=StateBool low=0-0 severe=1-1
To something like:
index=xx sourcetype="yyy" | stats first(State) as State | eval StateBool = if (State=="On", 0, 1) | eval State = if (State=="On", "Up", "Down") | rangemap field=StateBool low=0-0 severe=1-1
tried using the same technique to join multiple searches but getting an error.
What am i doing wrong ?
index=xx sourcetype="ConnectionStatus" State!="On" | stats count(State) as down_count | appendcols [search index=yy sourcetype="Events" Type!=Information (EventCode>="3012" AND EventCode<="3054") |stats count | rename count as evt_count] | eval StateBool = if(down_count==0 AND evt_count==0, 0, down_count==0 AND evt_count >0, 1, down_count>0 AND evt_count>0, 2) | eval Status = if(down_count==0 AND evt_count==0,"Ok", down_count==0 AND evt_count>0,"Warning", down_count>0 AND evt_count>0,"Error")| rangemap field=StateBool low=0-0 elevated=1-1 severe=2-2 | table Status range
ok thnks.. but how do i use eval
I've edited my original answer with some more detail.