Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

single value won't turn green

gnovak
Builder
‎04-02-2012 02:47 PM

I have a dashboard where I have a single value module that contains a search that should make it green if no results are found (meaning all is ok!) , red if results are found (not good!).

At one point I was able to get the module to turn red if a number was present other then 0. However if 0 is present, I would like 0 to be displayed and the single value to be green. So far all I get is "n/a" as the display and the single value is the default gray color.

Anyone see anything out of place here that I'm missing?

<single>
      <searchString>((sourcetype="Cron_SendNotificationEmail") OR 
 (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="*" NOT host="*.bmp2.*" earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P&lt;send_to_email&gt;\S+)\]" max_match=1000 
| rex "(?P&lt;inserting_a_record&gt;Inserting a record.*)" max_match=1000 | search inserting_a_record="*" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | where Delta > 0 | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe</searchString>
      <title>Undelivered Emails: Last Day</title>
      <option name="classField">range</option>
</single>
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gnovak
Builder
‎04-04-2012 12:28 PM

This worked. 

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gnovak
Builder
‎04-04-2012 12:28 PM

This worked. 

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

0 Karma
Reply
Solved! Jump to solution

BobM
Builder
‎04-02-2012 04:36 PM

Your search includes < and > which are not legal the way you have used them in XML so I am surprised you get anything. I recommend you surround your search in a cdata construct (See below). You also have square braces [ and ] in a rex that should be escaped \[ and \].
And also you have "| where Delta > 0" which will filter out any zero values.

<searchstring> <![CDATA[ ((sourcetype="Cron_SendNotificationEmail") OR (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record")) source="" NOT host=".bmp2." earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P<send_to_email>S+)\]" max_match=1000 | rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000 | search inserting_a_record="" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe ]]> </searchstring>

It is also good practice to tell the single value which field you want displaying by adding.

<option name="field">Delta</option>

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎04-03-2012 11:14 AM

I'm going to keep messing around with this to see what i get...

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎04-03-2012 11:08 AM

This search made everything under it blue which means it didn't like it. Also I'm not sure where in my original post you saw < or >. I had them replaced by the xml code representing these symbols. I also tried using the field option before but it did not make a difference.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...