Is this thing on? A quick and easy Splunk dashboard status tip

Many clients request some sort of “up or down” status indicator for their customized dashboards. There are many potential uses for such a solution (a simplified result for checking server status, for example; or changing a complex numerical result into an easy-to-read text visualization), and since this is a common question in the Splunk user community, I wanted to share my go-to approach.

Exploiting the Rangemap Command

“Up or Down” functionality isn’t native to Splunk, so for this example we’re going to “exploit” the rangemap command, used extensively in ITSI, and modify the dashboard XML to get the desired result.

Let’s consider the following search:

index=_internal sourcetype=splunkd earliest=-30m latest=now
|eval CountStatus="No Activity"
|stats count
|eval CountStatus=if(count==0,"Down","Up")
|eval alert_level = case(CountStatus=="Up",1,CountStatus=="Down",2)
|rangemap field=alert_level
low=1-1 severe=2-2

This will yield results along the following lines:

Figure 1 – The Rangemap feature results

The Single Value visualization will display the count:

Figure 2 – The Single Value visualization display

What we really want to show, however, is the countStatus of “Up” or “No Data”

To do this, we must get into the XML so we need to save the search as a dashboard and single value in Visualizations.

Figure 3 – Save the search as a dashboard and single value in Visualizations

Then, edit the XML and add the following two lines:

<option name="classField">range</option>
<option name="field">CountStatus</option>

And there you have it!

Figure 5 – Up Status

What do you need to get done with Splunk? We’d love to help!

Kinney Group’s Expertise on Demand (EOD) for Splunk service provides immediate access to our team of Splunk-certified professionals with experience delivering 500+ Splunk engagements worldwide. Contact us below to get started or for more information.



Author

Start typing and press Enter to search