Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

single value won't turn green

gnovak
Builder
‎04-02-2012 02:47 PM

I have a dashboard where I have a single value module that contains a search that should make it green if no results are found (meaning all is ok!) , red if results are found (not good!).

At one point I was able to get the module to turn red if a number was present other then 0. However if 0 is present, I would like 0 to be displayed and the single value to be green. So far all I get is "n/a" as the display and the single value is the default gray color.

Anyone see anything out of place here that I'm missing?

<single>
      <searchString>((sourcetype="Cron_SendNotificationEmail") OR 
 (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="*" NOT host="*.bmp2.*" earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P&lt;send_to_email&gt;\S+)\]" max_match=1000 
| rex "(?P&lt;inserting_a_record&gt;Inserting a record.*)" max_match=1000 | search inserting_a_record="*" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | where Delta > 0 | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe</searchString>
      <title>Undelivered Emails: Last Day</title>
      <option name="classField">range</option>
</single>
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gnovak
Builder
‎04-04-2012 12:28 PM

This worked. 

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gnovak
Builder
‎04-04-2012 12:28 PM

This worked. 

<searchString>((sourcetype="Cron_SendNotificationEmail" "[*]") OR

(sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record*"))
source="" NOT host=".bmp2."
earliest=-1d@d latest=-0d@d NOT (day_hour=23 AND day_minute>=59)
| rex "send_to_email ?[(?P<send_to_email>\S+)]" max_match=1000
| rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000
| timechart sum(eval(if(sourcetype=="Cron_CheckRegistrarThreshold",
mvcount(inserting_a_record), 0 ))) as TotalEmailsToSend sum(eval(if(sourcetype=="Cron_SendNotificationEmail",mvcount(send_to_email), 0 ))) as TotalEmailsSent | eval Delta = TotalEmailsToSend - TotalEmailsSent | rangemap field=Delta low=0-0 default=severe
Undelivered Emails: Last Day
Delta
range

0 Karma
Reply
Solved! Jump to solution

BobM
Builder
‎04-02-2012 04:36 PM

Your search includes < and > which are not legal the way you have used them in XML so I am surprised you get anything. I recommend you surround your search in a cdata construct (See below). You also have square braces [ and ] in a rex that should be escaped \[ and \].
And also you have "| where Delta > 0" which will filter out any zero values.

<searchstring> <![CDATA[ ((sourcetype="Cron_SendNotificationEmail") OR (sourcetype="Cron_CheckRegistrarThreshold" "Inserting a record")) source="" NOT host=".bmp2." earliest=-1d@d latest=-0d@d | rex "send_to_email ?\[(?P<send_to_email>S+)\]" max_match=1000 | rex "(?P<inserting_a_record>Inserting a record.)" max_match=1000 | search inserting_a_record="" OR send_to_email="*" | eval Delta = inserting_a_record - send_to_email | eval status = if(Delta==0, "OK", "ERROR") | rangemap field=Delta low=0-0 default=severe ]]> </searchstring>

It is also good practice to tell the single value which field you want displaying by adding.

<option name="field">Delta</option>

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎04-03-2012 11:14 AM

I'm going to keep messing around with this to see what i get...

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎04-03-2012 11:08 AM

This search made everything under it blue which means it didn't like it. Also I'm not sure where in my original post you saw < or >. I had them replaced by the xml code representing these symbols. I also tried using the field option before but it did not make a difference.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...