This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the same dataset that you will have already downloaded and ingested into Splunk. If not, please go to the Tutorial and complete it (or at least download and ingest the dataset).
This is the sixth blog in the series, and builds on the dashboard created in the previous blogs.
Adding a details chart
With the zoom.earliest and zoom.latest tokens set to non-null values, we want to display a zoomed-in chart panel, similar to the chart that was displayed when there was no selection handler present, only in a new panel. However, this panel's search, while similar to the timeframe selection panel, uses 5-minute buckets instead of hourly buckets, and the failures are counted rather than being rates.
Note that a consequence of the change in bucket size may be that there is a different number of time buckets with SLO breaches when measured at this scale than when measured at the larger scale. This is quite normal, but you should be aware that this apparent discrepancy may arise.
- Click on Edit.
- Click on + Add Panel
- Expand Clone from Dashboard, and then Buttercup Games - Requests
- Click on Hourly Status Rates - SLO Breach...
This screen image shows cloning the chart again.
- Click Add to Dashboard
- Change the panel title to Request status - $zoom.period$ - SLA Breach rate: $zoom_failure_rate$%
- Edit the search for the panel as below, and Apply
sourcetype=access_combined_wcookie earliest=$zoom.earliest$ latest=$zoom.latest$
| timechart span=5m count by status
| addtotals row=t fieldname=_total
| eval 200=round(100*'200'/_total,2)
| eval threshold=85
| eventstats count(eval('200'<85)) as _breaches count as _total
| eval _failure_rate=round(100*_breaches/_total,2)
| eval _panel_colour=case(_failure_rate < 15, "#00ff00", _failure_rate < 20, "#80ff00", _failure_rate < 25, "#ffff00", _failure_rate < 30, "#ff8000", true(), "#ff0000")
| eval _text_colour=case(_failure_rate < 15, "black", _failure_rate < 20, "black", _failure_rate < 25, "black", _failure_rate < 30, "white", true(), "white")
The search overrides the earliest and latest values given by the panel's time range, using the earliest and latest values set by the zoom selection.
- Click the Format tab
- Update the Y-Axis format Title to Failures
This screen image shows options for updating the y-axis title.
- Update the Chart Overlay format settings to set the Max Value to 100. This ensures that the overlay line appear at the correct proportional height.
This screen image shows options for updating the overlay max value.
- Update the Y-Axis format Title to Failures
- While still in edit mode, click on the Source button
- Modify the new row so that it depends on the $zoom.earliest$ and $zoom.latest$ tokens being defined.
<row depends="$zoom.earliest$,$zoom.latest$">
Note that listing more than one token in the depends attribute, means all (both) must be non-null for the row to show.
- Assign the new panel an unique id (request_status_zoom) and update the hidden HTML to use the new id and some modified token names (which are different to the tokens used before).
<panel id="request_status_zoom">
<html depends="$alwaysHide$">
<style>
#request_status_zoom .dashboard-panel
{
background-color: $zoom_panel_colour$ !important;
text-align: center;
}
#request_status_zoom h2.panel-title
{
color: $zoom_text_colour$ !important;
}
</style>
</html>
- Add the done handler in the search stanza for the chart to assign the failure rate and colour values to these new tokens
<done>
<set token="zoom_failure_rate">$result._failure_rate$</set>
<set token="zoom_panel_colour">$result._panel_colour$</set>
<set token="zoom_text_colour">$result._text_colour$</set>
</done>
- Save the updated dashboard, and try selecting the same time window.
This screen image shows the five-minute status rates chart.
You will see that when the timeframe is selected, the new panel appears. To remove it, simply click on Reset Zoom.
Next step is to go on to part 7 where you will add another new panel which will drill-down to the events behind the charts.
