Many clients request some sort of “up or down” status indicator for their customized dashboards. There are many potential uses for such a solution (a simplified result for checking server status, for example; or changing a complex numerical result into an easy-to-read text visualization), and since this is a common question in the Splunk user community, I wanted to share my go-to approach.
Exploiting the Rangemap Command
“Up or Down” functionality isn’t native to Splunk, so for this example we’re going to “exploit” the rangemap command, used extensively in ITSI, and modify the dashboard XML to get the desired result.
Let’s consider the following search:
index=_internal sourcetype=splunkd earliest=-30m latest=now |eval CountStatus="No Activity" |stats count |eval CountStatus=if(count==0,"Down","Up") |eval alert_level = case(CountStatus=="Up",1,CountStatus=="Down",2) |rangemap field=alert_level low=1-1 severe=2-2
This will yield results along the following lines:
The Single Value visualization will display the count:
What we really want to show, however, is the countStatus of “Up” or “No Data”
To do this, we must get into the XML so we need to save the search as a dashboard and single value in Visualizations.
Then, edit the XML and add the following two lines:
&lt;option name="classField"&gt;range&lt;/option&gt; &lt;option name="field"&gt;CountStatus&lt;/option&gt;
And there you have it!
What do you need to get done with Splunk? We’d love to help!
Kinney Group’s Expertise on Demand (EOD) for Splunk service provides immediate access to our team of Splunk-certified professionals with experience delivering 500+ Splunk engagements worldwide. Contact us below to get started or for more information.