TrackMe - Adaptive delay threshold audit (adjustments audit) This dashboards audits the activity and behaviour of the adaptive delay thresholding for TrackMe feeds components, focusing on the adjustments made by TrackMe =0.1, \"Threshold Raised\")\n| eval object=mvdedup(object)\n| eval time=strftime(_time, \"%c\")\n| table time object data_index data_sourcetype max_lag_event_sec adaptive_delay diff direction \n| rename max_lag_event_sec as \"Previous Threshold\" adaptive_delay as \"New Threshold\" diff as \"Adjustment\" direction as \"Status\" data_index as \"Index\" data_sourcetype as \"Sourcetype\"", "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } }, "name": "adjustments_table" }, "ds_UpugjNjy": { "type": "ds.search", "options": { "query": "index=_internal sourcetype=trackme:custom_commands:trackmesplkadaptivedelay tenant_id=$tk_tenant$ component=$tk_component$\n| rex field=sourcetype \"trackme:custom_commands:(?.*)\"\n| timechart count minspan=5m count limit=0 by log_level", "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } }, "name": "events_by_log_level" }, "ds_yHwHGBpa": { "type": "ds.search", "options": { "query": "| inputlookup trackme_virtual_tenants | eval keyid=_key\n| where tenant_status=\"enabled\" AND (tenant_dsm_enabled=1 OR tenant_dhm_enabled=1) AND tenant_replica=0\n| stats count by tenant_id\n| sort 0 tenant_id", "queryParameters": { "earliest": "-5m", "latest": "now" } }, "name": "populate_tenants" }, "ds_diTMqSWx": { "type": "ds.search", "options": { "query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ \"automated adaptive delay update\"\n| table _time, tenant_id, object_category, object, action, comment\n| sort - 0 _time | trackmeprettyjson fields=comment", "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } }, "name": "audit_adaptive_table" }, "ds_o8rZrPBE_ds_UpugjNjy": { "type": "ds.search", "options": { "query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ object=\"*$tk_object$*\" \"automated adaptive delay update\"\n| table _time, tenant_id, object_category, object, action, change_type, comment\n| sort - 0 _time | trackmeprettyjson fields=comment\n| spath input=comment\n| rename results.adaptive_delay as adaptive_delay, results.current_max_lag_event_sec as max_lag_event_sec\n| $tk_threshold_direction$\n| eval adaptive_delay=(adaptive_delay/3600)\n| timechart span=1h useother=f limit=40 latest(adaptive_delay) as adaptive_delay by object", "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } }, "name": "overtime_threshold_definitions" }, "ds_5CWZWtVu_ds_o8rZrPBE_ds_UpugjNjy": { "type": "ds.search", "options": { "query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ object=\"*$tk_object$*\" \"automated adaptive delay update\"\n| table _time, tenant_id, object_category, object, action, change_type, comment\n| sort - 0 _time | trackmeprettyjson fields=comment\n| spath input=comment\n| rename results.adaptive_delay as adaptive_delay results.current_max_lag_event_sec as max_lag_event_sec\n| $tk_threshold_direction$\n| eval adaptive_delay=(adaptive_delay/3600)\n| eval max_lag_event_sec=(max_lag_event_sec/3600)\n| eval diff=(adaptive_delay-max_lag_event_sec)\n| eval direction=case(diff<=0.0, \"Lowered Threshold\", diff>=0.1, \"Raised Threshold\")\n| table _time object max_lag_event_sec adaptive_delay diff direction\n| timechart span=1h useother=f limit=40 last(diff) by object", "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } }, "name": "overtime_threshold_adjustments" }, "ds_38boaB5k": { "type": "ds.search", "options": { "query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ \"automated adaptive delay update\"\n| stats count by object \n| fields object\n| sort 10000 object ", "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } }, "name": "populate_objects" } }, "visualizations": { "viz_table_1": { "type": "splunk.table", "options": { "columnFormat": { "log_level": { "data": "> table | seriesByName(\"log_level\") | formatByType(log_levelColumnFormatEditorConfig)", "rowColors": "> table | seriesByName(\"log_level\") | matchValue(log_levelRowColorsEditorConfig)" }, "Status": { "data": "> table | seriesByName(\"Status\") | formatByType(StatusColumnFormatEditorConfig)", "rowColors": "> table | seriesByName('Status') | pick(StatusRowColorsEditorConfig)", "rowBackgroundColors": "> table | seriesByName(\"Status\") | matchValue(StatusRowBackgroundColorsEditorConfig)" }, "Adjustment": { "data": "> table | seriesByName(\"Adjustment\") | formatByType(AdjustmentColumnFormatEditorConfig)", "rowColors": "> table | seriesByName('Adjustment') | pick(AdjustmentRowColorsEditorConfig)", "rowBackgroundColors": "> table | seriesByName(\"Adjustment\") | rangeValue(AdjustmentRowBackgroundColorsEditorConfig)" }, "Index": { "data": "> table | seriesByName(\"Index\") | formatByType(IndexColumnFormatEditorConfig)", "rowColors": "> table | seriesByName('Index') | pick(IndexRowColorsEditorConfig)", "rowBackgroundColors": "> table | seriesByName(\"Index\") | matchValue(IndexRowBackgroundColorsEditorConfig)" } }, "count": 100 }, "context": { "log_levelColumnFormatEditorConfig": { "string": { "unitPosition": "after" } }, "log_levelRowColorsEditorConfig": [ { "match": "WARNING", "value": "#DD9900" }, { "match": "INFO", "value": "#00CDAF" }, { "match": "ERROR", "value": "#FF677B" }, { "match": "DEBUG", "value": "#009CEB" } ], "StatusColumnFormatEditorConfig": { "string": { "unitPosition": "after" } }, "StatusRowColorsEditorConfig": [ "#ffffff" ], "StatusRowBackgroundColorsEditorConfig": [ { "match": "Threshold Lowered", "value": "#45d4ba" }, { "match": "Threshold Raised", "value": "#e85b79" } ], "AdjustmentColumnFormatEditorConfig": { "number": { "thousandSeparated": false, "unitPosition": "after", "unit": "Hours" } }, "AdjustmentRowColorsEditorConfig": [ "#ffffff" ], "AdjustmentRowBackgroundColorsEditorConfig": [ { "value": "#45d4ba", "to": 0 }, { "value": "#e85b79", "from": 0 } ], "IndexColumnFormatEditorConfig": { "string": { "unitPosition": "after" } }, "IndexRowColorsEditorConfig": [ "#ffffff" ], "IndexRowBackgroundColorsEditorConfig": [ { "match": "", "value": "#5C33FF" } ] }, "dataSources": { "primary": "ds_search_1" }, "title": "Delay threshold adjustment summary table", "description": "This shows on a per object basis the delay treshold adjustments" }, "viz_NmxZjn2m": { "type": "splunk.image", "options": { "preserveAspectRatio": true, "src": "../../static/app/trackme/icons/trackme.png" } }, "viz_WWQmnNzo": { "type": "splunk.column", "dataSources": { "primary": "ds_o8rZrPBE_ds_UpugjNjy" }, "title": "Thesholds values defined over time", "description": "This chart shows the values in hours defined by the adaptive threshold backend", "options": { "dataValuesDisplay": "all", "xAxisTitleVisibility": "hide", "yAxisTitleText": "Threshold (hours)" } }, "viz_XMHDnORn": { "type": "abslayout.line", "options": { "strokeDasharray": 4 } }, "viz_IuV33TS1": { "type": "splunk.markdown", "options": { "markdown": "# Adaptive threshold - Values affection" } }, "viz_IiBC8GdB": { "type": "splunk.markdown", "options": { "markdown": "# Adaptive threshold - Per object adjustments table" } }, "viz_eCsTg4eC": { "type": "abslayout.line", "options": { "strokeDasharray": 4 } }, "viz_kO1eWbMD": { "type": "abslayout.line", "options": { "strokeDasharray": 4 } }, "viz_sXg5MxlA": { "type": "splunk.markdown", "options": { "markdown": "# Adaptive threshold - Adjustments" } }, "viz_xvoBZnIV": { "type": "splunk.column", "dataSources": { "primary": "ds_5CWZWtVu_ds_o8rZrPBE_ds_UpugjNjy" }, "title": "Thesholds values variations over time (increase or decrease)", "description": "This chart shows the variation of the threshold adjustments (in hours)", "options": { "dataValuesDisplay": "all", "xAxisTitleVisibility": "hide", "yAxisTitleText": "Threshold (hours)" } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range:" }, "input_kquudf7q": { "options": { "items": ">frame(label, value) | prepend(formattedStatics) | objects()", "defaultValue": "*", "token": "tk_tenant" }, "title": "Tenant:", "type": "input.dropdown", "dataSources": { "primary": "ds_yHwHGBpa" }, "context": { "formattedConfig": { "number": { "prefix": "" } }, "formattedStatics": ">statics | formatByType(formattedConfig)", "statics": [ [ "All" ], [ "*" ] ], "label": ">primary | seriesByName(\"tenant_id\") | renameSeries(\"label\") | formatByType(formattedConfig)", "value": ">primary | seriesByName(\"tenant_id\") | renameSeries(\"value\") | formatByType(formattedConfig)" } }, "input_xdlNmvhR": { "options": { "items": [ { "label": "All", "value": "*" }, { "label": "splk-dsm", "value": "splk-dsm" }, { "label": "splk-dhm", "value": "splk-dhm" } ], "defaultValue": "*", "token": "tk_component" }, "title": "Component:", "type": "input.dropdown" }, "input_RmMD0viP": { "options": { "items": [ { "label": "All", "value": "search adaptive_delay=*" }, { "label": "Threshold Raised", "value": "where adaptive_delay > max_lag_event_sec" }, { "label": "Threshold Lowered", "value": "where adaptive_delay < max_lag_event_sec" } ], "defaultValue": "search adaptive_delay=*", "token": "tk_threshold_direction" }, "title": "Threshold Movement:", "type": "input.dropdown" }, "input_eoNRWtyI": { "options": { "items": ">frame(label, value) | prepend(formattedStatics) | objects()", "defaultValue": "*", "token": "tk_object" }, "title": "Object:", "type": "input.dropdown", "dataSources": { "primary": "ds_38boaB5k" }, "context": { "formattedConfig": { "number": { "prefix": "" } }, "formattedStatics": ">statics | formatByType(formattedConfig)", "statics": [ [ "All" ], [ "*" ] ], "label": ">primary | seriesByName(\"object\") | renameSeries(\"label\") | formatByType(formattedConfig)", "value": ">primary | seriesByName(\"object\") | renameSeries(\"value\") | formatByType(formattedConfig)" } } }, "layout": { "type": "absolute", "options": { "display": "auto-scale", "width": 2660, "height": 1650 }, "structure": [ { "item": "viz_table_1", "type": "block", "position": { "x": 10, "y": 710, "w": 2638, "h": 900 } }, { "item": "viz_NmxZjn2m", "type": "block", "position": { "x": 2530, "y": -90, "w": 120, "h": 300 } }, { "item": "viz_WWQmnNzo", "type": "block", "position": { "x": 10, "y": 170, "w": 1310, "h": 430 } }, { "item": "viz_XMHDnORn", "type": "line", "position": { "from": { "x": 12, "y": 107 }, "to": { "x": 1325, "y": 107 } } }, { "item": "viz_IuV33TS1", "type": "block", "position": { "x": 10, "y": 120, "w": 510, "h": 40 } }, { "item": "viz_IiBC8GdB", "type": "block", "position": { "x": 10, "y": 660, "w": 650, "h": 40 } }, { "item": "viz_eCsTg4eC", "type": "line", "position": { "from": { "x": 16, "y": 637 }, "to": { "x": 2643, "y": 633 } } }, { "item": "viz_kO1eWbMD", "type": "line", "position": { "from": { "x": 1336, "y": 107 }, "to": { "x": 2649, "y": 107 } } }, { "item": "viz_sXg5MxlA", "type": "block", "position": { "x": 1350, "y": 120, "w": 510, "h": 40 } }, { "item": "viz_xvoBZnIV", "type": "block", "position": { "x": 1340, "y": 170, "w": 1310, "h": 430 } } ], "globalInputs": [ "input_global_trp", "input_kquudf7q", "input_xdlNmvhR", "input_RmMD0viP", "input_eoNRWtyI" ] }, "title": "TrackMe - Adaptive delay threshold audit (adjustments audit)", "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "description": "This dashboards audits the activity and behaviour of the adaptive delay thresholding for TrackMe feeds components, focusing on the adjustments made by TrackMe" } ]]>