I have a simple timechart that looks at the _internal index for various hosts and makes a simple timechart span by hour. I trellis this by host so I get say 8 medium sized timecharts that show log counts over the last 3 days. Sometimes, some of these hosts go down and the value obviously goes to zero.
How do I make the background panel for that host colored red when any of the values is zero? In other words, I want to capture the attention of my users when any of the hosts have a time when there are no logs. If this isn't possible, I'd be open to other suggestions that would get a users attention. I already have alerts set up as well, but this dashboard is also important, and I want to make it easier to capture the user's attention.
| tstats count where index=_internal host=myhost00* by host_time prestats=t span=1h
| timechart span=1h count by host
Final working SPL. Since I have multiple hosts, I just broke them down into individual searches and removed the <panel>
tags to make them look like one big panel.
<dashboard>
<label>Test Dashboard</label>
<row>
<panel>
<chart>
<search id="pre">
<query>| tstats count where index=_internal host=system1 BY host _time prestats=t span=1h
| timechart span=1h count AS mycount
</query>
<earliest>-48h@h</earliest>
<latest>@h</latest>
</search>
<option name="charting.backgroundColor">$myColorToken$</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">preview</option>
</chart>
</panel>
</row>
<search base="pre">
<query>| stats min(mycount) AS mincount</query>
<done>
<eval token="myColorToken">if($result.mincount$<=0,"red","white")</eval>
</done>
</search>
</dashboard>
With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done>
set a background color based on that.
Updated with more details as per request...
In your SPL, you will do something like this
<search id="whatever">
<query>
... your search stuff...
| timechart span=1h count as mycount
</query>
</search>
Elsewhere, you will have another search that uses that one as its base
<search base="whatever">
<query>
| stats min(mycount) as mincount
</query>
<done>
<eval token="myColorToken">if($result.minfoo$<=0,"red","green")</eval>
</done>
</search>
In your chart, you are going to have a line like this...
<option name="charting.backgroundColor">$myColorToken$</option>
The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set>
command with your color values and seeing that the backgroundColor option is working, and so on.
Unfortunately, trellis
is a bit of a blunt instrument at the moment. I can see a way to do this with singles
, but not timecharts.
Paging @niketnilay...
With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done>
set a background color based on that.
Updated with more details as per request...
In your SPL, you will do something like this
<search id="whatever">
<query>
... your search stuff...
| timechart span=1h count as mycount
</query>
</search>
Elsewhere, you will have another search that uses that one as its base
<search base="whatever">
<query>
| stats min(mycount) as mincount
</query>
<done>
<eval token="myColorToken">if($result.minfoo$<=0,"red","green")</eval>
</done>
</search>
In your chart, you are going to have a line like this...
<option name="charting.backgroundColor">$myColorToken$</option>
The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set>
command with your color values and seeing that the backgroundColor option is working, and so on.
Unfortunately, trellis
is a bit of a blunt instrument at the moment. I can see a way to do this with singles
, but not timecharts.
Paging @niketnilay...
Thank you @DalJeanis! Just needed to encode the "<" but otherwise it worked perfectly. First time for me using these tags, learning new SPL everyday.
Ah, yes. updated <
to <
.
😄 I will keep quiet if this works straight-forward with several charts powered by individual queries. <condition match="$job.resultCount$==0">
(i.e. to capture Search returned no results) can also be used with <done>
and <progress>
Search Event Handlers to achieve same results to set background color of the chart!
Yes, but I couldn't type that one as aircode, and didn't want to take the time to google the exact capitalization...
Hi @DalJeanis I think I can break up the SPL query into individual searches to avoid using trellis. Can you give me an example of how to do it with a "normal chart"? Then I can try implementing it via <done>
as you mentioned?