Dashboards & Visualizations

Using sparkline to show number of failures sustained during a test

beetlegeuse
Path Finder

I am attempting to add a sparkline viz to a table I'm using which shows the overall result of a web connectivity test (pass or fail) for multiple web services; the test runs multiple steps against each service. The data I'm reading from Splunk (derived from a CSV file) looks similar to this:

"name", "status"
"webService1 - step 1", "FAIL"
"webService1 - step 2", "PASS"
"webService1 - step 3", "PASS"
"webService1 - step 4", "FAIL"
"webService2 - step 1", "PASS"
"webService2 - step 2", "PASS"
"webService3 - step 1", "FAIL"
...

I have a working table that provides me with the service name (using "rex" to strip out the string before the hyphen in the "name" field), the number of failures sustained for each service, and the overall test status. Here's the query I'm using for that:

index=test_* sourcetype=test_csv name!="name" | rex "(?<service>\S+) -" |  eval failcount=if(status="FAIL",1,0) | stats sum(failcount) AS failCount BY service | eval TestStatus=if(failCount>0,"FAIL","PASS") | table service, failCount, TestStatus | sort +service

The table looks like this:

       service                          failCount                 TestStatus
      ----------                      -------------              ---------------
       webService1                     2                            FAIL
       webService2                     0                            PASS
       webService3                     1                            FAIL
  ...

What I'd like to do is complement the failCount column (showing the number of failures sustained) with a sparkline column that would reflect the number of failures sustained, keeping the other columns intact. How would I go about doing this?

0 Karma

woodcock
Esteemed Legend

Like this:

index=_* 
| eval failcount=if(date_second<=2,1,0) 
| rename sourcetype AS service 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| stats sum(failcount) AS failCount sparkline(count(failcount)) AS failSparkline BY service 
| eval TestStatus=if(failCount>0,"FAIL","PASS") 
| table service, failCount, TestStatus *
| sort 0 +service
0 Karma

beetlegeuse
Path Finder

@woodcock: Thank you for your suggestion; this has helped get me closer to my goal. In applying your solution as provided, I realized that I had inadvertently left out some additional detail in my original post; namely, the fact that multiple services are tested. I've added this detail to the post (multiple service test results are reflected in the sample data I posted). I also added a sample table that reflects the layout.

By modifying your solution slightly...

index=test_* sourcetype=test_csv name!="name"  | eval failcount=if(status="FAIL",1,0) | rex "# (?<service>\S+) " | stats sum(failcount) AS failCount sparkline(max(failcount)) AS failSparkline BY service | eval TestStatus=if(failCount&gt;0,"FAIL","PASS") | table service, failCount, TestStatus * | sort 0 +service

...I'm able to see a sparkline that shows a "1" for a failure (regardless of how many failures there were), since I'm using the "max(failcount)" approach. If I use the "count(failcount)" approach, I'm seeing numbers on the sparkline that do not reflect failures exclusively; I believe the sparkline is showing the number of tests executed.

So...is there a way to get the sparkline to only show the number of failures sustained for each web service test?

0 Karma

woodcock
Esteemed Legend

I don't understand, why are you using sparkline(max(failcount)) instead of sparkline(sum(failcount))?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...