admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '48f78a7a26'
${ noResults }
Splunk_Deploiement/dashboards/trackme_trackMe_audit_adapt...

531 lines
15 KiB
Raw Blame History

<dashboard version="2" theme="dark">
<label>TrackMe - Adaptive delay threshold audit (adjustments audit)</label>
<description>This dashboards audits the activity and behaviour of the adaptive delay thresholding for TrackMe feeds components, focusing on the adjustments made by TrackMe</description>
<definition><![CDATA[
{
"dataSources": {
"ds_search_1": {
"type": "ds.search",
"options": {
"query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ object=\"*$tk_object$*\" \"automated adaptive delay update\"\n| table _time, tenant_id, object_category, object, action, change_type, comment, object_attrs\n| sort - 0 _time \n| trackmeprettyjson fields=comment \n| spath input=comment\n| trackmeprettyjson fields=object_attrs\n| spath input=object_attrs \n| rename results.adaptive_delay as adaptive_delay results.current_max_lag_event_sec as max_lag_event_sec\n| $tk_threshold_direction$\n| eval adaptive_delay=(adaptive_delay/3600) \n| eval max_lag_event_sec=(max_lag_event_sec/3600) \n| eval diff=(adaptive_delay-max_lag_event_sec) \n| eval direction=case(diff<=0.0, \"Threshold Lowered\", diff>=0.1, \"Threshold Raised\")\n| eval object=mvdedup(object)\n| eval time=strftime(_time, \"%c\")\n| table time object data_index data_sourcetype max_lag_event_sec adaptive_delay diff direction \n| rename max_lag_event_sec as \"Previous Threshold\" adaptive_delay as \"New Threshold\" diff as \"Adjustment\" direction as \"Status\" data_index as \"Index\" data_sourcetype as \"Sourcetype\"",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "adjustments_table"
},
"ds_UpugjNjy": {
"type": "ds.search",
"options": {
"query": "index=_internal sourcetype=trackme:custom_commands:trackmesplkadaptivedelay tenant_id=$tk_tenant$ component=$tk_component$\n| rex field=sourcetype \"trackme:custom_commands:(?<command>.*)\"\n| timechart count minspan=5m count limit=0 by log_level",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "events_by_log_level"
},
"ds_yHwHGBpa": {
"type": "ds.search",
"options": {
"query": "| inputlookup trackme_virtual_tenants | eval keyid=_key\n| where tenant_status=\"enabled\" AND (tenant_dsm_enabled=1 OR tenant_dhm_enabled=1) AND tenant_replica=0\n| stats count by tenant_id\n| sort 0 tenant_id",
"queryParameters": {
"earliest": "-5m",
"latest": "now"
}
},
"name": "populate_tenants"
},
"ds_diTMqSWx": {
"type": "ds.search",
"options": {
"query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ \"automated adaptive delay update\"\n| table _time, tenant_id, object_category, object, action, comment\n| sort - 0 _time | trackmeprettyjson fields=comment",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "audit_adaptive_table"
},
"ds_o8rZrPBE_ds_UpugjNjy": {
"type": "ds.search",
"options": {
"query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ object=\"*$tk_object$*\" \"automated adaptive delay update\"\n| table _time, tenant_id, object_category, object, action, change_type, comment\n| sort - 0 _time | trackmeprettyjson fields=comment\n| spath input=comment\n| rename results.adaptive_delay as adaptive_delay, results.current_max_lag_event_sec as max_lag_event_sec\n| $tk_threshold_direction$\n| eval adaptive_delay=(adaptive_delay/3600)\n| timechart span=1h useother=f limit=40 latest(adaptive_delay) as adaptive_delay by object",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "overtime_threshold_definitions"
},
"ds_5CWZWtVu_ds_o8rZrPBE_ds_UpugjNjy": {
"type": "ds.search",
"options": {
"query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ object=\"*$tk_object$*\" \"automated adaptive delay update\"\n| table _time, tenant_id, object_category, object, action, change_type, comment\n| sort - 0 _time | trackmeprettyjson fields=comment\n| spath input=comment\n| rename results.adaptive_delay as adaptive_delay results.current_max_lag_event_sec as max_lag_event_sec\n| $tk_threshold_direction$\n| eval adaptive_delay=(adaptive_delay/3600)\n| eval max_lag_event_sec=(max_lag_event_sec/3600)\n| eval diff=(adaptive_delay-max_lag_event_sec)\n| eval direction=case(diff<=0.0, \"Lowered Threshold\", diff>=0.1, \"Raised Threshold\")\n| table _time object max_lag_event_sec adaptive_delay diff direction\n| timechart span=1h useother=f limit=40 last(diff) by object",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "overtime_threshold_adjustments"
},
"ds_38boaB5k": {
"type": "ds.search",
"options": {
"query": "`trackme_audit_idx` tenant_id=$tk_tenant$ object_category=$tk_component$ \"automated adaptive delay update\"\n| stats count by object \n| fields object\n| sort 10000 object ",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "populate_objects"
}
},
"visualizations": {
"viz_table_1": {
"type": "splunk.table",
"options": {
"columnFormat": {
"log_level": {
"data": "> table | seriesByName(\"log_level\") | formatByType(log_levelColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName(\"log_level\") | matchValue(log_levelRowColorsEditorConfig)"
},
"Status": {
"data": "> table | seriesByName(\"Status\") | formatByType(StatusColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName('Status') | pick(StatusRowColorsEditorConfig)",
"rowBackgroundColors": "> table | seriesByName(\"Status\") | matchValue(StatusRowBackgroundColorsEditorConfig)"
},
"Adjustment": {
"data": "> table | seriesByName(\"Adjustment\") | formatByType(AdjustmentColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName('Adjustment') | pick(AdjustmentRowColorsEditorConfig)",
"rowBackgroundColors": "> table | seriesByName(\"Adjustment\") | rangeValue(AdjustmentRowBackgroundColorsEditorConfig)"
},
"Index": {
"data": "> table | seriesByName(\"Index\") | formatByType(IndexColumnFormatEditorConfig)",
"rowColors": "> table | seriesByName('Index') | pick(IndexRowColorsEditorConfig)",
"rowBackgroundColors": "> table | seriesByName(\"Index\") | matchValue(IndexRowBackgroundColorsEditorConfig)"
}
},
"count": 100
},
"context": {
"log_levelColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"log_levelRowColorsEditorConfig": [
{
"match": "WARNING",
"value": "#DD9900"
},
{
"match": "INFO",
"value": "#00CDAF"
},
{
"match": "ERROR",
"value": "#FF677B"
},
{
"match": "DEBUG",
"value": "#009CEB"
}
],
"StatusColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"StatusRowColorsEditorConfig": [
"#ffffff"
],
"StatusRowBackgroundColorsEditorConfig": [
{
"match": "Threshold Lowered",
"value": "#45d4ba"
},
{
"match": "Threshold Raised",
"value": "#e85b79"
}
],
"AdjustmentColumnFormatEditorConfig": {
"number": {
"thousandSeparated": false,
"unitPosition": "after",
"unit": "Hours"
}
},
"AdjustmentRowColorsEditorConfig": [
"#ffffff"
],
"AdjustmentRowBackgroundColorsEditorConfig": [
{
"value": "#45d4ba",
"to": 0
},
{
"value": "#e85b79",
"from": 0
}
],
"IndexColumnFormatEditorConfig": {
"string": {
"unitPosition": "after"
}
},
"IndexRowColorsEditorConfig": [
"#ffffff"
],
"IndexRowBackgroundColorsEditorConfig": [
{
"match": "",
"value": "#5C33FF"
}
]
},
"dataSources": {
"primary": "ds_search_1"
},
"title": "Delay threshold adjustment summary table",
"description": "This shows on a per object basis the delay treshold adjustments"
},
"viz_NmxZjn2m": {
"type": "splunk.image",
"options": {
"preserveAspectRatio": true,
"src": "../../static/app/trackme/icons/trackme.png"
}
},
"viz_WWQmnNzo": {
"type": "splunk.column",
"dataSources": {
"primary": "ds_o8rZrPBE_ds_UpugjNjy"
},
"title": "Thesholds values defined over time",
"description": "This chart shows the values in hours defined by the adaptive threshold backend",
"options": {
"dataValuesDisplay": "all",
"xAxisTitleVisibility": "hide",
"yAxisTitleText": "Threshold (hours)"
}
},
"viz_XMHDnORn": {
"type": "abslayout.line",
"options": {
"strokeDasharray": 4
}
},
"viz_IuV33TS1": {
"type": "splunk.markdown",
"options": {
"markdown": "# Adaptive threshold - Values affection"
}
},
"viz_IiBC8GdB": {
"type": "splunk.markdown",
"options": {
"markdown": "# Adaptive threshold - Per object adjustments table"
}
},
"viz_eCsTg4eC": {
"type": "abslayout.line",
"options": {
"strokeDasharray": 4
}
},
"viz_kO1eWbMD": {
"type": "abslayout.line",
"options": {
"strokeDasharray": 4
}
},
"viz_sXg5MxlA": {
"type": "splunk.markdown",
"options": {
"markdown": "# Adaptive threshold - Adjustments"
}
},
"viz_xvoBZnIV": {
"type": "splunk.column",
"dataSources": {
"primary": "ds_5CWZWtVu_ds_o8rZrPBE_ds_UpugjNjy"
},
"title": "Thesholds values variations over time (increase or decrease)",
"description": "This chart shows the variation of the threshold adjustments (in hours)",
"options": {
"dataValuesDisplay": "all",
"xAxisTitleVisibility": "hide",
"yAxisTitleText": "Threshold (hours)"
}
}
},
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "-24h@h,now"
},
"title": "Global Time Range:"
},
"input_kquudf7q": {
"options": {
"items": ">frame(label, value) | prepend(formattedStatics) | objects()",
"defaultValue": "*",
"token": "tk_tenant"
},
"title": "Tenant:",
"type": "input.dropdown",
"dataSources": {
"primary": "ds_yHwHGBpa"
},
"context": {
"formattedConfig": {
"number": {
"prefix": ""
}
},
"formattedStatics": ">statics | formatByType(formattedConfig)",
"statics": [
[
"All"
],
[
"*"
]
],
"label": ">primary | seriesByName(\"tenant_id\") | renameSeries(\"label\") | formatByType(formattedConfig)",
"value": ">primary | seriesByName(\"tenant_id\") | renameSeries(\"value\") | formatByType(formattedConfig)"
}
},
"input_xdlNmvhR": {
"options": {
"items": [
{
"label": "All",
"value": "*"
},
{
"label": "splk-dsm",
"value": "splk-dsm"
},
{
"label": "splk-dhm",
"value": "splk-dhm"
}
],
"defaultValue": "*",
"token": "tk_component"
},
"title": "Component:",
"type": "input.dropdown"
},
"input_RmMD0viP": {
"options": {
"items": [
{
"label": "All",
"value": "search adaptive_delay=*"
},
{
"label": "Threshold Raised",
"value": "where adaptive_delay > max_lag_event_sec"
},
{
"label": "Threshold Lowered",
"value": "where adaptive_delay < max_lag_event_sec"
}
],
"defaultValue": "search adaptive_delay=*",
"token": "tk_threshold_direction"
},
"title": "Threshold Movement:",
"type": "input.dropdown"
},
"input_eoNRWtyI": {
"options": {
"items": ">frame(label, value) | prepend(formattedStatics) | objects()",
"defaultValue": "*",
"token": "tk_object"
},
"title": "Object:",
"type": "input.dropdown",
"dataSources": {
"primary": "ds_38boaB5k"
},
"context": {
"formattedConfig": {
"number": {
"prefix": ""
}
},
"formattedStatics": ">statics | formatByType(formattedConfig)",
"statics": [
[
"All"
],
[
"*"
]
],
"label": ">primary | seriesByName(\"object\") | renameSeries(\"label\") | formatByType(formattedConfig)",
"value": ">primary | seriesByName(\"object\") | renameSeries(\"value\") | formatByType(formattedConfig)"
}
}
},
"layout": {
"type": "absolute",
"options": {
"display": "auto-scale",
"width": 2660,
"height": 1650
},
"structure": [
{
"item": "viz_table_1",
"type": "block",
"position": {
"x": 10,
"y": 710,
"w": 2638,
"h": 900
}
},
{
"item": "viz_NmxZjn2m",
"type": "block",
"position": {
"x": 2530,
"y": -90,
"w": 120,
"h": 300
}
},
{
"item": "viz_WWQmnNzo",
"type": "block",
"position": {
"x": 10,
"y": 170,
"w": 1310,
"h": 430
}
},
{
"item": "viz_XMHDnORn",
"type": "line",
"position": {
"from": {
"x": 12,
"y": 107
},
"to": {
"x": 1325,
"y": 107
}
}
},
{
"item": "viz_IuV33TS1",
"type": "block",
"position": {
"x": 10,
"y": 120,
"w": 510,
"h": 40
}
},
{
"item": "viz_IiBC8GdB",
"type": "block",
"position": {
"x": 10,
"y": 660,
"w": 650,
"h": 40
}
},
{
"item": "viz_eCsTg4eC",
"type": "line",
"position": {
"from": {
"x": 16,
"y": 637
},
"to": {
"x": 2643,
"y": 633
}
}
},
{
"item": "viz_kO1eWbMD",
"type": "line",
"position": {
"from": {
"x": 1336,
"y": 107
},
"to": {
"x": 2649,
"y": 107
}
}
},
{
"item": "viz_sXg5MxlA",
"type": "block",
"position": {
"x": 1350,
"y": 120,
"w": 510,
"h": 40
}
},
{
"item": "viz_xvoBZnIV",
"type": "block",
"position": {
"x": 1340,
"y": 170,
"w": 1310,
"h": 430
}
}
],
"globalInputs": [
"input_global_trp",
"input_kquudf7q",
"input_xdlNmvhR",
"input_RmMD0viP",
"input_eoNRWtyI"
]
},
"title": "TrackMe - Adaptive delay threshold audit (adjustments audit)",
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
}
}
}
},
"description": "This dashboards audits the activity and behaviour of the adaptive delay thresholding for TrackMe feeds components, focusing on the adjustments made by TrackMe"
}
]]> </definition>
<meta type="hiddenElements"><![CDATA[
{
"hideEdit": false,
"hideOpenInSearch": false,
"hideExport": false
}
]]> </meta>
</dashboard>
Reference in new issue View Git Blame Copy Permalink