- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Re: How can I display large amounts of hosts effec...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I display large amounts of hosts effectively?
I have about 75 machines I'd like to get a snapshot of. Line graphs only seem to be able to effectively display 10 at a time. I'm looking for an effective way to cycle through all 75 hosts using one line graph. Whether that be displaying all at once, and being able to "zoom in" on a section. Or pressing a button that cycles through a list displaying 10 at a time.
The graph I'm using is one that displays a two week period of 10 hosts' Windows Event count (Application and System). If I see a spike, it's an indication I should investigate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One option would be to only show hosts that DO have a spike, ignore the others. This will, hopefully reduce the number of hosts you need to look at. Or maybe even setup an alert to proactively notify at the start of a spike.
The other option, if dashboard is needed for all hosts, use this slideshow app to cycle through dashboard panels at specific interval.
https://splunkbase.splunk.com/app/1799/
Third option, create a 4 panels x 4 panels dashboard with each panel displaying charts for 5 hosts, manageable number?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is, the "spike" is only a spike when compared to the rest of the days. Adding retention policies makes it even harder. I guess you could call something a "spike" if it was say 50% higher than all the other days.
Remember, I have Splunk Light. I cannot install apps. However, I might be able to copy what's shown in the app. Putting it on some kind of timer sounds like a great idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up using radio buttons, and creating values like "Hostname-0*" and "Hostname-1*". So you just cycle through sets of 10. The only thing I don't like is the radio buttons are in one long line. I wish they were in multiple columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using link instead of radio buttons may give you better layout flexibility. I haven't tried it, so just guessing here. At the end of the day, the best solution is the one that works for the customer 🙂
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
