Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Basic Dashboard
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
peter_gianusso
Communicator
03-11-2013
12:20 PM
Looking for a basic dashboard that does things like the following:
- number of events indexed over the past 7 days by day
- top 5 source types indexed in the past 7 days
- top 5 alerts emailed in the past 7 days by sourcetype
I looked through the dashboard example application and the examples are just not relevant.
thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-11-2013
01:37 PM
Events indexed in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*
Top 5 sourcetypes in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series
Top 5 alerts emailed in last 7 days
index=_audit action=alert_fired | top limit=5 ss_name
Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search
Choose a visualization you like from the samples, replace the search with the ones above and away you go ..
Because my simplexml-fu is weak
Example :
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Throughput Summary</label>
<row>
<chart>
<searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Indexed Events</title>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
</chart>
</row>
<row>
<table>
<searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Sourcetype by Volume</title>
</table>
</row>
<row>
<table>
<searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Alert Generating Searches</title>
</table>
</row>
</dashboard>
And because advanced XML is better
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>Throughput Summary</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
<param name="charting.chart">column</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="JSChart"/>
</module>
<module name="HiddenPostProcess">
<param name="search">addtotals | fields _time Total </param>
<module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-11-2013
01:37 PM
Events indexed in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*
Top 5 sourcetypes in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series
Top 5 alerts emailed in last 7 days
index=_audit action=alert_fired | top limit=5 ss_name
Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search
Choose a visualization you like from the samples, replace the search with the ones above and away you go ..
Because my simplexml-fu is weak
Example :
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Throughput Summary</label>
<row>
<chart>
<searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Indexed Events</title>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
</chart>
</row>
<row>
<table>
<searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Sourcetype by Volume</title>
</table>
</row>
<row>
<table>
<searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Alert Generating Searches</title>
</table>
</row>
</dashboard>
And because advanced XML is better
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>Throughput Summary</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
<param name="charting.chart">column</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="JSChart"/>
</module>
<module name="HiddenPostProcess">
<param name="search">addtotals | fields _time Total </param>
<module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</view>
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
