I have a dashboard where I have a single value module that contains a search that should make it green if no results are found (meaning all is ok!) , red if results are found (not good!).
At one point I was able to get the module to turn red if a number was present other then 0. However if 0 is present, I would like 0 to be displayed and the single value to be green. So far all I get is "n/a" as the display and the single value is the default gray color.
Anyone see anything out of place here that I'm missing?
<single>
<searchString>((sourcetype="Cron_SendNotificationEmail") OR
(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="*" NOT host="*.bmp2.*" earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P<send_to_email>\S+)\]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.*)" max_match=1000 | search inserting_a_record="*" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | where Delta > 0 | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe</searchString>
<title>Undelivered Emails: Last Day</title>
<option name="classField">range</option>
</single>
This worked.
<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR
(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
This worked.
<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR
(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Your search includes < and > which are not legal the way you have used them in XML so I am surprised you get anything. I recommend you surround your search in a cdata construct (See below). You also have square braces [ and ] in a rex that should be escaped \[ and \].
And also you have "| where Delta > 0" which will filter out any zero values.
<searchstring
> <![CDATA[
((sourcetype="Cron_SendNotificationEmail") OR (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record")) source="" NOT host=".bmp2." earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P
<send_to_email
>S+)\]" max_match=1000 | rex "(?P
<inserting_a_record
>Inserting a record.)" max_match=1000 | search inserting_a_record="" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe
]]> </searchstring
>
It is also good practice to tell the single value which field you want displaying by adding.
<option name="field"
>Delta
</option
>
I'm going to keep messing around with this to see what i get...
This search made everything under it blue which means it didn't like it. Also I'm not sure where in my original post you saw < or >. I had them replaced by the xml code representing these symbols. I also tried using the field option before but it did not make a difference.