I'm not a dashboard expert however, from a search I have the following setup:
| rex field=msg.Properties..FileName "(?[\w-]+\.apm)"
| eval EventName='msg.Properties..EventType'
| search Filename
| chart count over Filename by EventName
This gives me results like:
Filename Moved FileError Validated Sent ValidationError
1bc71199.apm 1 1 1 2 0
43bd3399.apm 1 1 1 2 1
Is it possible to change the 0s, 1s and 2s to other values? Like maybe a TimeStamp or Checkmark or basically something that isn't a number?
Also, maybe I shouldn't be using a CHART for summary (but my users like the data representation) but please tell me if I'm doing that wrong too! Are stats the better option? Thanks!
Hi @ozman2112,
You can do both. If you want to replace the number by specific words you can use a conditionaleval
expression and simply replace any occurrence of 0,1 or 2 with a specific word.
You can also replace them with checkmarks if needed using javascript. You can find some examples of that in this app here :
https://splunkbase.splunk.com/app/1603/
Also check this out for including icons within a table :
https://answers.splunk.com/answers/345025/simple-xml-dashboard-examples-how-to-add-a-new-ico.html
Cheers,
David
Hi @ozman2112,
You can do both. If you want to replace the number by specific words you can use a conditionaleval
expression and simply replace any occurrence of 0,1 or 2 with a specific word.
You can also replace them with checkmarks if needed using javascript. You can find some examples of that in this app here :
https://splunkbase.splunk.com/app/1603/
Also check this out for including icons within a table :
https://answers.splunk.com/answers/345025/simple-xml-dashboard-examples-how-to-add-a-new-ico.html
Cheers,
David
OK, sounds simple enough:
| eval EventName='msg.Properties.EventType'
| search Filename
| chart count(eval(if(EventName="1", "one","is not one"))) over Filename by EventName
None of the "1"s in the chart were replaced. They remained the same. Is there an equality issue?
I meant an eval in a line right after the chart. Try something like this instead, it's easier :
... | replace 0 WITH iszero, 1 WITH isone,2 WITH istwo IN Moved
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace
And to apply it to all fields you can simply do this :
... | foreach * [|replace 0 WITH iszero, 1 WITH isone,2 WITH istwo IN <<FIELD>>]
...and thanks for replying on a Saturday! 🙂