Dashboards & Visualizations

single value won't turn green

gnovak
Builder

I have a dashboard where I have a single value module that contains a search that should make it green if no results are found (meaning all is ok!) , red if results are found (not good!).

At one point I was able to get the module to turn red if a number was present other then 0. However if 0 is present, I would like 0 to be displayed and the single value to be green. So far all I get is "n/a" as the display and the single value is the default gray color.

Anyone see anything out of place here that I'm missing?

<single>
      <searchString>((sourcetype="Cron_SendNotificationEmail") OR 
 (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="*" NOT host="*.bmp2.*" earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P&lt;send_to_email&gt;\S+)\]" max_match=1000 
| rex "(?P&lt;inserting_a_record&gt;Inserting a record.*)" max_match=1000 | search inserting_a_record="*" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | where Delta > 0 | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe</searchString>
      <title>Undelivered Emails: Last Day</title>
      <option name="classField">range</option>
</single> 
Tags (1)
1 Solution

gnovak
Builder

This worked.

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR 

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.
)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

View solution in original post

0 Karma

gnovak
Builder

This worked.

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR 

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.
)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

0 Karma

BobM
Builder

Your search includes < and > which are not legal the way you have used them in XML so I am surprised you get anything. I recommend you surround your search in a cdata construct (See below). You also have square braces [ and ] in a rex that should be escaped \[ and \].
And also you have "| where Delta > 0" which will filter out any zero values.

<searchstring> <![CDATA[ ((sourcetype="Cron_SendNotificationEmail") OR (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record")) source="" NOT host=".bmp2." earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P<send_to_email>S+)\]" max_match=1000 | rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000 | search inserting_a_record="" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe ]]> </searchstring>

It is also good practice to tell the single value which field you want displaying by adding.

<option name="field">Delta</option>

0 Karma

gnovak
Builder

I'm going to keep messing around with this to see what i get...

0 Karma

gnovak
Builder

This search made everything under it blue which means it didn't like it. Also I'm not sure where in my original post you saw < or >. I had them replaced by the xml code representing these symbols. I also tried using the field option before but it did not make a difference.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...