Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filtering of a particular value out of the Dashboard.

jerinvarghese
Communicator
‎03-26-2020 02:09 AM

I have one more issue which am facing.

 index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" "WANRT*"
 | rex field=eventuei "uei.opennms.org/nodes/node(?<bgpPeerState>.+)"
 | eval Status=case(bgpPeerState=="Up", "UP", bgpPeerState=="Down", "DOWN", 1=1, "Other")
  | rename _time as Time_CST
   | fieldformat Time_CST=strftime(Time_CST,"%x %X")
 | dedup nodelabel sortby - Time_CST 
 | table nodelabel Status  Time_CST

Output:

 nodelabel    Status    Time_CST
 NZSKB    DOWN    03/24/20 10:33:33
 GQPCW    DOWN    03/24/20 10:30:15
 EGSUM    UP    03/24/20 10:19:39
 GQHAN    DOWN    03/24/20 10:16:57
 FJVUD    UP    03/24/20 10:05:20
 PGPKC    UP    03/24/20 09:58:09

is it possible to only display DOWN CASES in the dashboard

I tried with 

| where =="DOWN"

But it converted the whole UP's as DOWN.

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-26-2020 03:52 AM 
....
| rex field=eventuei "uei.opennms.org/nodes/node(?<bgpPeerState>.+)"
| stats max(_time) as Time_CST latest(bgpPeerState) as Status by nodelabel
| where Status="DOWN"
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| sort- Time_CST 
| table nodelabel Status  Time_CST
0 Karma
Reply

niketn
Legend
‎03-26-2020 02:30 AM

Did you try | where Status="DOWN"? or the one that you have posted which seems incorrect?

Also why not filter only Down event while fetching from index? Are you interested in latest node status which are down?

What is the purpose of dedup and why not apply after fetching required fields from index as that is the only dataset reduction your are performing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

jerinvarghese
Communicator
‎03-26-2020 02:56 AM

Hi,

Sorry it was a typo..I was using 

 | where Status=="DOWN"

There are cases were some of my devices comes UP and some wont.
AM interested in those devices which are not coming UP.

Once I dont the eval statement, I will get which has the UP and DOWN status.

| eval Status=case(bgpPeerState=="Up", "UP", bgpPeerState=="Down", "DOWN", 1=1, "Other")

from this I was only those are DOWN.

If am only searching for DOWN events. then those devices which are UP now has a DOWN event previously. so i cant filter with only down event from index.

Dedup am using is for filtering only those device with latest status. Because the same device go UP and DOWN multiple times. I want only those are DOWN at the moment.and remove those which came an UP event.

Hope this explains my logic

0 Karma
Reply

jerinvarghese
Communicator
‎03-26-2020 02:22 AM 
| where Status=="DOWN"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...