Solved: how to build a simple dashboard using index and so...

tkrprakash · ‎08-30-2017

how to build a simple dashboard using index and source ; and modify the search for various scenarios ,

I have an index ; I have a source

how can I list all fields in my source and index and make us of them with simple visualizations

please help

DalJeanis · ‎08-30-2017

Before you make the dashboard, you need to play around and get comfortable with the search box.

Enter this...

index=foo | head 5

Since there are only 5 records, every field in any of them will appear in the "interesting fields" list to the left. (Being on one record is 20%, which makes it "interesting".) Look at the field names, and click on them to see what kind of values they hold.

You can also do this to get a list of the field names output from a search...

index=foo | head 10 | fieldsummary

That will give you a table displaying various information about non-internal fields. (Internal fields, those beginning with underscore, you don't want to mess with, with the possible exception of _time.)

Play with these commands first - eval, stats, eventstats, chart, timechart.

For every one of those commands but eval, play with these aggregation functions first - count(), sum(), avg(), min(), max(), first(), last(), earliest(), latest(), stdev()

Once you feel comfortable with what those all do, then come back and ask about visualizations.

Updated to use the more modern fieldsummary command.

View solution in original post

niketn · ‎08-30-2017

You can go through Splunk search tutorial, following topic talks about creation of dashboards and next step.
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Createnewdashboard

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DalJeanis · ‎08-30-2017

Before you make the dashboard, you need to play around and get comfortable with the search box.

Enter this...

index=foo | head 5

Since there are only 5 records, every field in any of them will appear in the "interesting fields" list to the left. (Being on one record is 20%, which makes it "interesting".) Look at the field names, and click on them to see what kind of values they hold.

You can also do this to get a list of the field names output from a search...

index=foo | head 10 | fieldsummary

That will give you a table displaying various information about non-internal fields. (Internal fields, those beginning with underscore, you don't want to mess with, with the possible exception of _time.)

Play with these commands first - eval, stats, eventstats, chart, timechart.

For every one of those commands but eval, play with these aggregation functions first - count(), sum(), avg(), min(), max(), first(), last(), earliest(), latest(), stdev()

Once you feel comfortable with what those all do, then come back and ask about visualizations.

Updated to use the more modern fieldsummary command.

tkrprakash · ‎08-31-2017

Thank you very much Sir , let me start exploring , the first command works , the second command the field value and fieldname should be selected as per the event and output generated in command one above right ?

DalJeanis · ‎08-31-2017

@tkrprakash - no, I had an error in my aircode. I've updated the code to use the more modern fieldsummary, which is a much better resource for you at this point. Try it and you'll see what I mean.

how to build a simple dashboard using index and source

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms