All Apps and Add-ons

Drill Down Dashboard Design

Vigneshprasanna
Explorer

Hi,

Now i have done with designing a dashboard, the challenge im facing now is i wanna design a drill down dashboard where i have to make the application to display a table with success or failure of the request, which is determined by some condition that is applied over the log.

  • My Log Data structures is as follows.

TIMESTAMP, LOG PRIORITY ID, LOG LEVEL, APP NAME, THREAD NUMBER, APPLICATION MESSAGE.

If i get the log level as ERROR the request of response has got failed & also if i have some term like "/fail/" in the APPLICATION MESSAGE also the request or the response have got failed.

How to write a if else condition in the Splunk query language?

Please share a sample snippet to design ma dashboard.

alt text

0 Karma

Vigneshprasanna
Explorer

Hi Poete,

Thanks for the effort 🙂 that was really helpful, I have a small doubt in this as i'm new to splunk.

Test data :

2017-08-08 22:38:24,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]

The above message is parsed as follows :

Timestamp : 2017-08-08 22:38:24,331
Log_Level : INFO
Connection_factory : [XYZXYZ]
Thread_Number :(httpXYSGHFA 10.100.1234.12-1234-1234)
Application_Message : 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]

what i need is if you see the application msg it has a value "/-1/" it means the log is not done with its request so i should change the log level into ERROR while displaying the Splunk dashboard even though the log is with INFO log level

My Current Query in the dashboard :

    index=* AND LOG_LEVEL=* AND APPLICATION_MSG=*| table AUDIT_TIME LOG_LEVEL AUDIT_DATA 

what should i add to this query
Regards,
Vigneshprasanna R

0 Karma

niketn
Legend

@Vigneshprasanna if possible please add more details with some sample events from your data and expected output. It is not clear without sample data right now. Also try to add your current search that you are trying with the output you have. Please mask/anonymize any sensitive information.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

poete
Builder

Hello.

Here is one example. The below dashboard contains 1 table, where the criterion corresponding to 'If i get the log level as ERROR the request of response has got failed & also if i have some term like "/fail/" in the APPLICATION MESSAGE also the request or the response have got failed.'

The idea is to compute the status of each line and not to display i (usage of <fields>), and yet to enable to drilldown according to this hidden value.

I hope this helps.

<dashboard>
  <init>
    <set token="drill"></set>
  </init>
  <row>
    <panel>
      <table>
        <title>hidden fields $drill$</title>
        <search>
          <query>| makeresults 
| eval APPLICATION_MESSAGE="some fail"
| eval LOG_LEVEL="OK"
| eval someFail=replace(APPLICATION_MESSAGE,"fail","")
| eval ok_ko=if(LOG_LEVEL="ERROR" AND len(someFail)!=len(APPLICATION_MESSAGE),"ok","ko")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <fields>["APPLICATION_MESSAGE","LOG_LEVEL"]</fields>
        <drilldown>
          <eval token="drill">$row.ok_ko$</eval>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Vigneshprasanna
Explorer

Hi Poete,

Thanks for the effort 🙂 that was really helpful, I have a small doubt in this as i'm new to splunk.

Test data :

2017-08-08 22:38:24,331 INFO XYZXYZ 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]

The above message is parsed as follows :

Timestamp : 2017-08-08 22:38:24,331
Log_Level : INFO
Connection_factory : [XYZXYZ]
Thread_Number :(httpXYSGHFA 10.100.1234.12-1234-1234)
Application_Message : 22:38:24,331 INFO [APP_INVOKE_MSG] APP Response [ ID_123SDFBH//-1/NO,RULE.ID:1:1=below minimum value (0) ]

what i need is if you see the application msg it has a value "/-1/" it means the log is not done with its request so i should change the log level into ERROR while displaying the Splunk dashboard even though the log is with INFO log level

My Current Query in the dashboard :

 index=* AND LOG_LEVEL=* AND APPLICATION_MSG=*| table AUDIT_TIME LOG_LEVEL AUDIT_DATA 

what should i add to this query

Regards,
Vigneshprasanna R

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...