Dashboards & Visualizations

Multiple SingleValue in a dashboard

Branden
Builder

I'm trying to display a list of SingleValues. Each of my hosts runs a process listing every 12 hours and greps for a specific process. If it finds the process, index it. This runs on about 20 hosts.

I would like a dashboard that displays a SingleValue for each host. Splunk runs a search and, if it finds the process listing within the past 12 hours, put in a SingleValue saying "Yes". If it can't find the process listing, say "No". Above or near the SingleValue, I need it to display the host name field.

There is an easy way to do this, but it would require me to run the search individually for each host. I'm trying to avoid running 20 searches on one dashboard.

Here's what I have so far, but it's not doing what I need it to:

FINAL SOLUTION:

<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">sourcetype="nmonchk"</param>
  <param name="earliest">-12h</param>
  <module name="HiddenPostProcess">
     <param name="search">search host="xyz" | stats count | eval yesno=if(count==0, "No", "Yes") | rangemap field=count severe=0-0 default=low</param>
        <module name="SingleValue">
           <param name="field">yesno</param>
           <param name="classField">range</param>
           <param name="beforeLabel">xyz</param>
        </module>
  </module>

This just display one SingleValue, and it's reporting "Yes". I understand why it's not working, I just can't figure out how to get it to do what I want.

Does anyone have any suggestions?

Thanks!

Tags (2)
0 Karma

ziegfried
Influencer

You have to generate a count in your search in order to use it in the eval statement:

sourcetype="nmonchk" | stats count | eval yesno=if(count==0, "No", "Yes") | eval range=if(count==0, "severe", "low")

An efficient way to build the single values would be to use a single search that returns the events for all hosts and postprocess it for each host in order to display the result. Like:

<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search"> <search that returns the evnets for all hosts ></param>
  <module name="HiddenPostProcess">
    <param name="search">search < criteria for host 1 > | eval yesno=if(count==0, "No", "Yes") | rangemap field=count severe=0-0 default=low</param>
      <module name="SingleValue">
         <param name="field">yesno</param>
         <param name="classField">range</param>
      </module>
  </module>
  <module name="HiddenPostProcess">
    <param name="search">search < criteria for host 2 > | eval yesno=if(count==0, "No", "Yes") | rangemap field=count severe=0-0 default=low</param>
      <module name="SingleValue">
         <param name="field">yesno</param>
         <param name="classField">range</param>
      </module>
  </module>
  ...
</module>

sliderCO
Explorer

I have configured a similar dashboard using a HiddenSearch and HiddenPostProcess as shown above and all results are displayed fine only when there is one failure in the count. The SingleValue buttons on all pages display an "N/A" rather than a "0" when there are no failures. So the buttons are grey rather than green. Does anyone have any potential solutions to such an issue?

0 Karma

Branden
Builder

Okay I got it figured out. Couldn't have done it without your help, thanks!
My final solution is above (re-edited). Thanks again!

0 Karma

Branden
Builder

Thank you for your very fast response.

I did what you suggested (see my edits above), but it's still not quite right. It doesn't display the host name, and it just shows two gray boxes containing "Invalid Field".

Did I miss something?

Thanks again!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...