This auditing dashboard investigates the Data sampling feature results for the splk-dsm component
statics | formatByType(formattedConfig)",
"label": ">primary | seriesByName(\"tenant_id\") | renameSeries(\"label\") | formatByType(formattedConfig)",
"statics": [],
"value": ">primary | seriesByName(\"tenant_id\") | renameSeries(\"value\") | formatByType(formattedConfig)"
},
"dataSources": {
"primary": "ds_Mg04DNO6"
},
"options": {
"items": ">frame(label, value) | prepend(formattedStatics) | objects()",
"token": "tk_tenant_id"
},
"title": "tenant_id:",
"type": "input.dropdown"
},
"input_oTEsZboP": {
"options": {
"items": [
{
"label": "Any",
"value": "*"
},
{
"label": "Red",
"value": "red"
},
{
"label": "Orange",
"value": "orange"
},
{
"label": "Green",
"value": "green"
}
],
"defaultValue": "*",
"token": "tk_table_state"
},
"title": "Filter table state:",
"type": "input.dropdown"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
}
}
}
},
"visualizations": {
"viz_0VdLX51C": {
"context": {
"log_levelColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"log_levelRowColorsEditorConfig": [
{
"match": "WARN",
"value": "#ad3f20"
},
{
"match": "INFO",
"value": "#207865"
},
{
"match": "ERROR",
"value": "#78062a"
},
{
"match": "DEBUG",
"value": "#003E80"
}
]
},
"dataSources": {
"primary": "ds_UUNZ1UyX"
},
"description": "The Data Sampling relies on the executor command, which logs its activity in the _internal index",
"options": {
"columnFormat": {
"log_level": {
"data": "> table | seriesByName(\"log_level\") | formatByType(log_levelColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName(\"log_level\") | matchValue(log_levelRowColorsEditorConfig)"
}
}
},
"title": "Data Sampling executor traces",
"type": "splunk.table"
},
"viz_1KpygY1l": {
"dataSources": {
"primary": "ds_5DyDRYLq"
},
"description": "",
"options": {
"majorColor": "> majorValue | rangeValue(majorColorEditorConfig)",
"backgroundColor": "transparent"
},
"type": "splunk.singlevalue",
"context": {
"majorColorEditorConfig": [
{
"value": "#e85b79",
"to": 1
},
{
"value": "#e85b79",
"from": 1
}
]
}
},
"viz_29HlXL59": {
"options": {
"preserveAspectRatio": true,
"src": "../../static/app/trackme/icons/trackme.png"
},
"type": "splunk.image"
},
"viz_NrwggSYV": {
"dataSources": {
"primary": "ds_bR5fXLDt"
},
"description": "",
"options": {
"backgroundColor": "transparent"
},
"type": "splunk.singlevalue"
},
"viz_QUYYEwXs": {
"options": {
"markdown": "count red"
},
"type": "splunk.markdown"
},
"viz_QpszSdhB": {
"options": {
"markdown": "count green"
},
"type": "splunk.markdown"
},
"viz_RLPXFcGI": {
"dataSources": {
"primary": "ds_XY84LN0B"
},
"description": "",
"options": {
"majorColor": "> majorValue | rangeValue(majorColorEditorConfig)",
"backgroundColor": "transparent"
},
"type": "splunk.singlevalue",
"context": {
"majorColorEditorConfig": [
{
"value": "#45d4ba",
"to": 1
},
{
"value": "#45d4ba",
"from": 1
}
]
}
},
"viz_SSK3aVIG": {
"options": {
"markdown": "count orange"
},
"type": "splunk.markdown"
},
"viz_a1weqXVe": {
"options": {
"markdown": "Number of objects in the sampling collection"
},
"type": "splunk.markdown"
},
"viz_bkulEsvV": {
"dataSources": {
"primary": "ds_DgZ9kw8T"
},
"description": "",
"options": {
"backgroundColor": "transparent"
},
"type": "splunk.singlevalue"
},
"viz_cBYvB8Yy": {
"dataSources": {
"primary": "ds_lj3w1XsH"
},
"description": "",
"options": {
"majorColor": "> majorValue | rangeValue(majorColorEditorConfig)",
"backgroundColor": "transparent"
},
"type": "splunk.singlevalue",
"context": {
"majorColorEditorConfig": [
{
"value": "#fb865c",
"to": 1
},
{
"value": "#fb865c",
"from": 1
}
]
}
},
"viz_dJ5VhJet": {
"options": {
"markdown": "Number of objects with Sampling disabled"
},
"type": "splunk.markdown"
},
"viz_dOpjvgGS": {
"dataSources": {
"primary": "ds_K19CzomZ"
},
"description": "",
"options": {
"backgroundColor": "transparent"
},
"type": "splunk.singlevalue"
},
"viz_kkzyyTTf": {
"context": {
"data_sample_anomaly_reasonColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"data_sample_anomaly_reasonRowColorsEditorConfig": [
{
"match": "normal",
"value": "#45d4ba"
}
],
"data_sample_featureColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"data_sample_featureRowColorsEditorConfig": [
{
"match": "disabled",
"value": "#555555"
},
{
"match": "enabled",
"value": "#207865"
}
],
"data_sample_status_colourColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"data_sample_status_colourRowColorsEditorConfig": [
{
"match": "green",
"value": "#45d4ba"
},
{
"match": "red",
"value": "#e85b79"
},
{
"match": "orange",
"value": "#fb865c"
}
]
},
"dataSources": {
"primary": "ds_GmbiRmaY"
},
"description": "Consolatited view - This table shows the consolidated status of the Data Sampling feature per entity",
"eventHandlers": [],
"options": {
"columnFormat": {
"data_sample_anomaly_reason": {
"data": "> table | seriesByName(\"data_sample_anomaly_reason\") | formatByType(data_sample_anomaly_reasonColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName(\"data_sample_anomaly_reason\") | matchValue(data_sample_anomaly_reasonRowColorsEditorConfig)"
},
"data_sample_feature": {
"data": "> table | seriesByName(\"data_sample_feature\") | formatByType(data_sample_featureColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName(\"data_sample_feature\") | matchValue(data_sample_featureRowColorsEditorConfig)"
},
"data_sample_status_colour": {
"data": "> table | seriesByName(\"data_sample_status_colour\") | formatByType(data_sample_status_colourColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName(\"data_sample_status_colour\") | matchValue(data_sample_status_colourRowColorsEditorConfig)"
},
"object": {
"width": 450
},
"object_category": {
"width": 150
}
},
"count": 50
},
"title": "Data Sampling overview",
"type": "splunk.table"
},
"viz_sQRatSih": {
"options": {
"markdown": "Number of objects with Sampling enabled"
},
"type": "splunk.markdown"
}
},
"dataSources": {
"ds_0iOI8jft": {
"name": "count_by_status",
"options": {
"query": "| inputlookup trackme_dsm_data_sampling_tenant_$tk_tenant_id$ \n| eval key=_key | fields - raw_sample\n| lookup trackme_dsm_tenant_$tk_tenant_id$ object OUTPUT monitored_state\n| where monitored_state=\"enabled\"\n| where data_sample_feature=\"enabled\"\n| stats count(eval(data_sample_status_colour==\"green\")) as count_green, count(eval(data_sample_status_colour==\"orange\")) as count_orange, count(eval(data_sample_status_colour==\"red\")) as count_red"
},
"type": "ds.search"
},
"ds_5DyDRYLq": {
"name": "count_red",
"options": {
"extend": "ds_0iOI8jft",
"query": "fields count_red"
},
"type": "ds.chain"
},
"ds_8GZdWK3Q": {
"name": "no_red_state",
"options": {
"query": "| inputlookup trackme_dsm_data_sampling_tenant_$tk_tenant_id$ \n| eval key=_key | fields - raw_sample\n| lookup trackme_dsm_tenant_$tk_tenant_id$ object OUTPUT monitored_state\n| where monitored_state=\"enabled\"\n| where data_sample_status_colour=\"red\"\n| stats dc(object) as dcount"
},
"type": "ds.search"
},
"ds_DgZ9kw8T": {
"name": "no_sampling_disabled",
"options": {
"query": "| inputlookup trackme_dsm_data_sampling_tenant_$tk_tenant_id$ \n| eval key=_key | fields - raw_sample\n| lookup trackme_dsm_tenant_$tk_tenant_id$ object OUTPUT monitored_state\n| where monitored_state=\"enabled\"\n| where data_sample_feature=\"disabled\"\n| stats dc(object) as dcount"
},
"type": "ds.search"
},
"ds_GmbiRmaY": {
"name": "table_sampling",
"options": {
"query": "| inputlookup trackme_dsm_data_sampling_tenant_$tk_tenant_id$ \n| eval key=_key | fields - raw_sample\n| lookup trackme_dsm_tenant_$tk_tenant_id$ object OUTPUT monitored_state\n| where monitored_state=\"enabled\"\n| table object, data_sample_mtime, data_sample_feature, data_sample_status_colour, data_sample_anomaly_reason, current_detected_format, current_detected_format_dcount\n| sort 0 - data_sample_mtime\n| eval data_sample_mtime=strftime(data_sample_mtime, \"%c\")\n| search object=\"$tk_object$\"\n| search data_sample_status_colour=\"$tk_table_state$\"",
"queryParameters": {
"earliest": "-5m",
"latest": "now"
}
},
"type": "ds.search"
},
"ds_K19CzomZ": {
"name": "no_objects",
"options": {
"query": "| inputlookup trackme_dsm_data_sampling_tenant_$tk_tenant_id$ \n| eval key=_key | fields - raw_sample\n| lookup trackme_dsm_tenant_$tk_tenant_id$ object OUTPUT monitored_state\n| where monitored_state=\"enabled\"\n| stats dc(object) as dcount"
},
"type": "ds.search"
},
"ds_Mg04DNO6": {
"name": "populate_tenants",
"options": {
"query": "| trackmeload mode=expanded | table _raw | spath | fields - _raw | fillnull tenant_replica | search tenant_dsm_enabled=1 AND tenant_replica!=1 | table tenant_id \n| sort 0 tenant_id",
"queryParameters": {
"earliest": "-24h@h",
"latest": "now"
}
},
"type": "ds.search"
},
"ds_Pw0K27lq": {
"name": "populate_objects",
"options": {
"query": "| inputlookup trackme_dsm_data_sampling_tenant_$tk_tenant_id$\n| stats c by object \n| table object \n| sort 0 object",
"queryParameters": {
"earliest": "-5m",
"latest": "now"
}
},
"type": "ds.search"
},
"ds_UUNZ1UyX": {
"name": "executor_traces",
"options": {
"query": "index=_internal sourcetype=trackme:custom_commands:trackmesamplingexecutor tenant_id=\"$tk_tenant_id$\"\n| sort - _time\n| eval time=strftime(_time, \"%c\")\n| table time, log_level, _raw",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"type": "ds.search"
},
"ds_XY84LN0B": {
"name": "count_green",
"options": {
"extend": "ds_0iOI8jft",
"query": "fields count_green"
},
"type": "ds.chain"
},
"ds_bR5fXLDt": {
"name": "no_sampling_enabled",
"options": {
"query": "| inputlookup trackme_dsm_data_sampling_tenant_$tk_tenant_id$ \n| eval key=_key | fields - raw_sample\n| lookup trackme_dsm_tenant_$tk_tenant_id$ object OUTPUT monitored_state\n| where monitored_state=\"enabled\"\n| where data_sample_feature=\"enabled\"\n| stats dc(object) as dcount"
},
"type": "ds.search"
},
"ds_lj3w1XsH": {
"name": "count_orange",
"options": {
"extend": "ds_0iOI8jft",
"query": "fields count_orange"
},
"type": "ds.chain"
}
},
"layout": {
"globalInputs": [
"input_global_trp",
"input_uHIQHlyb",
"input_TgtFblSG",
"input_oTEsZboP"
],
"layoutDefinitions": {
"layout_1": {
"options": {
"height": 1650,
"width": 2660
},
"structure": [
{
"item": "viz_29HlXL59",
"position": {
"h": 60,
"w": 120,
"x": 2530,
"y": 40
},
"type": "block"
},
{
"item": "viz_kkzyyTTf",
"position": {
"h": 1130,
"w": 2660,
"x": 0,
"y": 160
},
"type": "block"
},
{
"item": "viz_dOpjvgGS",
"position": {
"h": 90,
"w": 170,
"x": 130,
"y": 20
},
"type": "block"
},
{
"item": "viz_a1weqXVe",
"position": {
"h": 50,
"w": 300,
"x": 70,
"y": 100
},
"type": "block"
},
{
"item": "viz_bkulEsvV",
"position": {
"h": 90,
"w": 170,
"x": 560,
"y": 20
},
"type": "block"
},
{
"item": "viz_dJ5VhJet",
"position": {
"h": 50,
"w": 300,
"x": 510,
"y": 100
},
"type": "block"
},
{
"item": "viz_NrwggSYV",
"position": {
"h": 90,
"w": 170,
"x": 1030,
"y": 20
},
"type": "block"
},
{
"item": "viz_sQRatSih",
"position": {
"h": 50,
"w": 300,
"x": 970,
"y": 100
},
"type": "block"
},
{
"item": "viz_RLPXFcGI",
"position": {
"h": 90,
"w": 170,
"x": 1450,
"y": 20
},
"type": "block"
},
{
"item": "viz_cBYvB8Yy",
"position": {
"h": 90,
"w": 170,
"x": 1830,
"y": 20
},
"type": "block"
},
{
"item": "viz_1KpygY1l",
"position": {
"h": 90,
"w": 170,
"x": 2210,
"y": 20
},
"type": "block"
},
{
"item": "viz_QpszSdhB",
"position": {
"h": 30,
"w": 90,
"x": 1490,
"y": 100
},
"type": "block"
},
{
"item": "viz_SSK3aVIG",
"position": {
"h": 30,
"w": 110,
"x": 1870,
"y": 100
},
"type": "block"
},
{
"item": "viz_QUYYEwXs",
"position": {
"h": 30,
"w": 110,
"x": 2260,
"y": 100
},
"type": "block"
}
],
"type": "absolute"
},
"layout_s7i54pGX": {
"type": "grid",
"structure": [
{
"item": "viz_0VdLX51C",
"type": "block",
"position": {
"x": 0,
"y": 0,
"w": 1200,
"h": 1374
}
}
]
}
},
"tabs": {
"items": [
{
"label": "Overview and status",
"layoutId": "layout_1"
},
{
"layoutId": "layout_s7i54pGX",
"label": "Logs backend"
}
]
}
}
}
]]>