- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- turning calculated percentage into traffic light w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks to the community help I have now managed to get the percentage of compliant machines from Qualys but now need to make this dynamically change my traffic light css
here is the xml for the traffic light I am currently using. At the moment I have been manually amending the eval number and the traffic light changes based on this.
SANS 3
<panel>
<title>SANS 3.1</title>
<single>
<title>Standard secure configuration</title>
<search>
<query>| stats count as value | eval value = entervalue | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="field">value</option>
<option name="classField">range</option>
<option name="linkView">search</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">radialGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="drilldown">none</option>
</single>
</panel>
The search I now have that returns the percentage I need
| dbquery "DBNAME" "SELECT * FROM TABLE_NAME"| stats count(eval(FAILED<1)) as success count as total | eval Compliant %=success/total*100
The Compliant % is the eval value I want dynamically populated and thus changing the traffic light colour if within certain ranges.
once I have this one search/traffic light sorting hopefully it will just be a case of re-creating/slight amendments for my other SANS checks
thanks as ever for all your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I managed to resolve my own question the answer is
| dbquery "DBNAME" "SELECT * FROM TABLE"| stats count(eval(FAILED<1)) as success count as total | eval value = success/total*100 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
This is now displaying a RED traffic light as we are only 2% compliant
Hope this helps someone else in the future
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I managed to resolve my own question the answer is
| dbquery "DBNAME" "SELECT * FROM TABLE"| stats count(eval(FAILED<1)) as success count as total | eval value = success/total*100 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
This is now displaying a RED traffic light as we are only 2% compliant
Hope this helps someone else in the future
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Just checking if what I am asking for is technically possible with splunk? or will it be easier if I index the DB? can I then turn that into the percentage and make the range (traffic lights) change colour?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want for the compliant % result to be populated in a traffic light - eg if the % falls within this range show a green traffic light
| dbquery "DBNAME" "SELECT * FROM TABLE_NAME"| stats count(eval(FAILED<1)) as success count as total | eval Compliant%=success/total*100
The previous code you provided returns errors sadly (see below)
| dbquery "DBNAME" "SELECT * FROM TABLE_NAME"| stats count(eval(FAILED<1)) as success count as total | eval Compliant%=success/total*100|join [search index=... | eval value = Compliant%| rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none|...]
When trying to paste my entire source code the formatting goes crazy.
any help to get the below code to display my percentage would be appreciated
<title>Standard secure configuration</title>
<search>
<query>| stats count as value | eval value = entervalue | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="field">value</option>
<option name="classField">range</option>
<option name="linkView">search</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">radialGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="drilldown">none</option>
thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry the formatting went weird. but its basically a repeat of SANS 3.1 multiple times and some different rows
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand your code.
what do you want exactly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - please see below
SANS 3
<panel>
<title>SANS 3.1</title>
<single>
<title>Standard secure configuration</title>
<search>
<query>| stats count as value | eval value = 3 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="field">value</option>
<option name="classField">range</option>
<option name="linkView">search</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">radialGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="drilldown">none</option>
</single>
<html> <a href="https://splunk/en-GB/app/Sans_Pmc/sans_31">Additional Information</a> </html>
</panel>
<panel>
<title>SANS 3.2</title>
<single>
<title>Automated patching</title>
<search>
| stats count as value | eval value = 64 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
value
range
search
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
none
Additional Information
<panel>
<title>SANS 3.3</title>
<single>
<title>Limit Administrative priviledges</title>
<search>
| stats count as value | eval value = 80 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
value
range
search
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
none
Additional Information
| stats count as value | eval value = 40 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
value
range
search
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
none
Additional Information
| stats count as value | eval value = 0 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
value
range
search
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
none
Additional Information
<panel>
<title>SANS 3.7</title>
<single>
<title>Remote admin performed over secure connections</title>
<search>
| stats count as value | eval value = 100 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
value
range
search
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
none
Additional Information
| stats count as value | eval value = 0 | rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none
value
range
search
ellipsisNone
0
visible
visible
visible
linear
linear
false
inherit
radialGauge
50
10
area
gaps
0.01
default
shiny
all
0
ellipsisMiddle
right
none
Additional Information
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks for the suggestion unfortunatley I am getting errors with the above
Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 9: StartTag: invalid element name
I obviously updated the DBNAME and TABLE_NAME but quite a few areas are appearing in RED (I have bolded them below)
| dbquery "DBNAME" "SELECT * FROM TABLE_NAME"| stats count(eval(FAILED<1)) as success count as total | eval Compliant%=success/total*100|join [search index=... | eval value = Compliant%| rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none|...]
-15m
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok,
please send me all you view source code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi try this:
<query>
| dbquery "DBNAME" "SELECT * FROM TABLE_NAME"| stats count(eval(FAILED<1)) as success count as total | eval Compliant%=success/total*100|join [search index=... | eval value = Compliant%| rangemap field=value elevated=51-84 low=85-100 severe=0-50 default=none|...]
</query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 10: StartTag: invalid element name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should have mentioned I am updating the |... part entering my search but keep getting errors, no doubt as incorrect
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
updating the < query >|
seems to have stripped that part
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
