Dashboards & Visualizations

Basic Dashboard

peter_gianusso
Communicator

Looking for a basic dashboard that does things like the following:

  • number of events indexed over the past 7 days by day
  • top 5 source types indexed in the past 7 days
  • top 5 alerts emailed in the past 7 days by sourcetype

I looked through the dashboard example application and the examples are just not relevant.

thanks!

Tags (1)
0 Karma
1 Solution

jonuwz
Influencer

Events indexed in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* 

Top 5 sourcetypes in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series

Top 5 alerts emailed in last 7 days

index=_audit action=alert_fired | top limit=5 ss_name

Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search

Choose a visualization you like from the samples, replace the search with the ones above and away you go ..

Because my simplexml-fu is weak

Example :

    <?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Throughput Summary</label>
  <row>
    <chart> 
      <searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Indexed Events</title>
      <option name="charting.chart">column</option>
      <option name="charting.chart.stackMode">stacked</option>
    </chart>
  </row>
  <row>
    <table>
      <searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Sourcetype by Volume</title>
    </table>
  </row>
  <row>
    <table>
      <searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Alert Generating Searches</title>
    </table>
  </row>
</dashboard>

And because advanced XML is better

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <label>Throughput Summary</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>

  <module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
          <param name="charting.chart">column</param>
          <param name="charting.chart.stackMode">stacked</param>
          <module name="JSChart"/>
        </module>
        <module name="HiddenPostProcess">
          <param name="search">addtotals | fields _time Total </param>
          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
            <param name="displayRowNumbers">off</param>
          </module>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
            <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
          <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

</view>

View solution in original post

jonuwz
Influencer

Events indexed in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* 

Top 5 sourcetypes in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series

Top 5 alerts emailed in last 7 days

index=_audit action=alert_fired | top limit=5 ss_name

Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search

Choose a visualization you like from the samples, replace the search with the ones above and away you go ..

Because my simplexml-fu is weak

Example :

    <?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Throughput Summary</label>
  <row>
    <chart> 
      <searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Indexed Events</title>
      <option name="charting.chart">column</option>
      <option name="charting.chart.stackMode">stacked</option>
    </chart>
  </row>
  <row>
    <table>
      <searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Sourcetype by Volume</title>
    </table>
  </row>
  <row>
    <table>
      <searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Alert Generating Searches</title>
    </table>
  </row>
</dashboard>

And because advanced XML is better

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <label>Throughput Summary</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>

  <module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
          <param name="charting.chart">column</param>
          <param name="charting.chart.stackMode">stacked</param>
          <module name="JSChart"/>
        </module>
        <module name="HiddenPostProcess">
          <param name="search">addtotals | fields _time Total </param>
          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
            <param name="displayRowNumbers">off</param>
          </module>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
            <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
          <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

</view>
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...