Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Live count in radial gauge

vidda42
Explorer
‎12-21-2012 01:55 AM

Hi all !

Just can't figure out how to get this work.
I am searching for firewall drops in my indexed logs, so I currently have this search : action="drop".
I would like to have the drop-rate (per second) of all the firewalls and display it on a radial gauge.

Can anyone help me with that...?

Thanx !

David

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vidda42
Explorer
‎12-21-2012 12:51 PM

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

View solution in original post

Reply
Solved! Jump to solution
Solution

vidda42
Explorer
‎12-21-2012 12:51 PM

Hi again all !

I finally got my dashboard working fine with 'live' area charts combined with a 'live' gauge next to them.
The problem in this type of request is that you will get, as a result of your search, several lines. In my case, one per second elapsed. With this, you will be able to graph them as a line or area chart updating every x second(s).

But, you can't display a 'live' gauge with these results.
So, the trick is that you have to get ONLY one result, to be able to show it in a 'live' gauge.

To do this, you have to " | tail 1" your search.

Sum-up:

  • If you need a 'live' line or area chart :
    action="drop" | timechart span=1s count

  • If you need a 'live' gauge (radial, meter, filler) counter :
    action="drop" | bucket _time span=1s | stats count(_raw) as eps by _time | table eps | tail 1

Enjoy now !

David

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...