Solved: How to create a search for the dashboard to show l...

ng87 · ‎06-17-2018

We have an index that reads in log files from disk. Each logfile is its own source under the index, I want to create a basic health dashboard that shows the source name and when the last event/log was received and in the perfect world turn red if the last log was received more than x hours ago.

I currently have this set up with a single dashboard for each source, however, I would like to try and consolidate into a single dashboard.

Any help would be amazing

adonio · ‎06-17-2018

maybe a single panel will do,
try out this search:

| tstats max(_time) as last_event where index=* by source
| eval last_event_human = strftime(last_event, "%c")
| eval now = now()
| eval diff_in_seconds = now - last_event
| eval alert = if(diff_in_seconds>10,"alert","OK")

change the index=* to your index
feel free to change the alert value (here 10 seconds) to your desired value

hope it helps

View solution in original post

adonio · ‎06-17-2018

maybe a single panel will do,
try out this search:

| tstats max(_time) as last_event where index=* by source
| eval last_event_human = strftime(last_event, "%c")
| eval now = now()
| eval diff_in_seconds = now - last_event
| eval alert = if(diff_in_seconds>10,"alert","OK")

change the index=* to your index
feel free to change the alert value (here 10 seconds) to your desired value

hope it helps

How to create a search for the dashboard to show last event from each source?

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...