admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '48f78a7a26'
${ noResults }
Splunk_Deploiement/dashboards/trackme_trackMe_audit_svc_u...

275 lines
10 KiB
Raw Blame History

<dashboard version="2" theme="dark">
<label>TrackMe SVC usage stack</label>
<description></description>
<definition><![CDATA[
{
"visualizations": {
"viz_wEwqDRvv": {
"type": "splunk.line",
"title": "Stack SVC usage per hour",
"dataSources": {
"primary": "ds_6F4mslsR"
},
"options": {
"xAxisTitleText": "",
"yAxisTitleText": "SVCs"
}
},
"viz_CL7Yd48d": {
"type": "splunk.singlevalue",
"title": "Stack SVC Entitlement",
"dataSources": {
"primary": "ds_0HJP5tjw"
},
"options": {
"backgroundColor": "transparent"
}
},
"viz_3dm54Wnf": {
"type": "splunk.line",
"dataSources": {
"primary": "ds_vFBi4bSQ"
},
"title": "Trackme SVC usage",
"description": "SVC usage per hour for TrackMe",
"options": {
"xAxisTitleText": "",
"yAxisTitleText": "SVCs"
}
},
"viz_8NRmlyOE": {
"type": "splunk.line",
"dataSources": {
"primary": "ds_xSjMkQKs"
},
"title": "Percentage of SVCs used by TrackMe",
"description": "This shows the percentage of SVCs used by TrackMe (percentage calculated against the number of SVCs that are actually used, this shows what percentage of used SVCs is used by TrackMe effectively)",
"options": {
"xAxisTitleText": "",
"yAxisTitleText": "SVCs percentage"
}
},
"viz_us5aI0OR": {
"type": "splunk.singlevalue",
"title": "Stack Average daily ingest (GB)",
"dataSources": {
"primary": "ds_HvTFWH2P"
},
"options": {
"backgroundColor": "transparent",
"numberPrecision": 2
}
},
"viz_rN1Rglnc": {
"type": "splunk.singlevalue",
"title": "Average SVC pct used by TrackMe",
"dataSources": {
"primary": "ds_ra2AYETO"
},
"options": {
"backgroundColor": "transparent",
"numberPrecision": 2,
"unit": "%"
}
},
"viz_fGOeP9lm": {
"type": "splunk.singlevalue",
"title": "Percentile95 SVC pct used by TrackMe",
"dataSources": {
"primary": "ds_w5uhHl8D"
},
"options": {
"backgroundColor": "transparent",
"numberPrecision": 2,
"unit": "%"
}
}
},
"dataSources": {
"ds_6F4mslsR": {
"type": "ds.search",
"options": {
"query": "(index=_cmc_summary OR index=summary) source=\"splunk-svc\"\n | stats max(utilized_svc) as utilized_svc\n max(stack_license_svc) as stack_license_svc\n by _time, role, indexer_type\n | stats sum(utilized_svc) as utilized_svc\n latest(stack_license_svc) as stack_license_svc\n by _time | timechart span=1h\n max(utilized_svc) AS utilized_svc\n max(stack_license_svc) AS stack_license_svc\n | trendline sma24(utilized_svc) AS \"average SVC utilization\"\n | eval optimal_threshold=if(stack_license_svc>0, stack_license_svc*.8, null())\n | eval degradation_threshold=stack_license_svc*.9\n | eval degraded=if(stack_license_svc>0 AND utilized_svc>=degradation_threshold,utilized_svc,null())\n | eval elevated=if(stack_license_svc>0 AND utilized_svc>=optimal_threshold AND isnull(degraded),utilized_svc,null())\n | eval utilized_svc=if(isnull(elevated) AND isnull(degraded),utilized_svc,null())\n | eval \"license limit\"=if(stack_license_svc>0,stack_license_svc,null())\n | fields - degradation_threshold stack_license_svc\n | rename optimal_threshold as \"optimal utilization threshold\", utilized_svc as \"utilized SVC\"",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "stack_svc"
},
"ds_0HJP5tjw": {
"type": "ds.search",
"options": {
"query": "(index=_cmc_summary OR index=summary) source=\"splunk-entitlements\"\n | stats latest(svc_license) as svc_license\n | eval display=if(svc_license>0,tostring(svc_license,\"commas\").\" SVC\", \"N/A\")\n | fields display",
"queryParameters": {
"earliest": "-24h@h",
"latest": "now"
}
},
"name": "svc_entitlement"
},
"ds_vFBi4bSQ": {
"type": "ds.search",
"options": {
"query": "(index=_cmc_summary OR index=summary) source=\"splunk-svc-search-attribution\" svc_usage=*\n | fields svc_usage svc_consumer svc_consumption_score search_type search_app search_label search_user search_head_names unified_sid process_type\n | fillnull value=\"\" svc_consumer process_type search_provenances search_type search_app search_label search_user unified_sid search_modes labels search_head_names usage_source\n | search search_app=\"trackme\"\n | stats max(svc_usage) as utilized_svc by _time svc_consumer search_type search_app search_label search_user search_head_names unified_sid process_type\n | timechart span=1h sum(utilized_svc) as sum_svc"
},
"name": "trackme_usage_per_hour"
},
"ds_xSjMkQKs": {
"type": "ds.search",
"options": {
"query": "(index=_cmc_summary OR index=summary) source=\"splunk-svc-search-attribution\" svc_usage=*\n | fields svc_usage svc_consumer svc_consumption_score search_type search_app search_label search_user search_head_names unified_sid process_type\n | fillnull value=\"\" svc_consumer process_type search_provenances search_type search_app search_label search_user unified_sid search_modes labels search_head_names usage_source\n | stats max(svc_usage) as utilized_svc by _time svc_consumer search_type search_app search_label search_user search_head_names unified_sid process_type\n | bucket _time span=1h\n | stats sum(utilized_svc) as svc by _time, search_app\n | eval search_app=if(isnull(search_app) OR search_app=\"\", \"NA\", search_app)\n | eventstats sum(svc) as total_svc by _time\n | eval pct=svc/total_svc*100\n | search search_app=\"trackme\"\n | fields _time search_app pct\n | timechart span=1h first(pct) as pct by search_app\n",
"queryParameters": {
"earliest": "$global_time.earliest$",
"latest": "$global_time.latest$"
}
},
"name": "trackme_pct_stack_usage"
},
"ds_HvTFWH2P": {
"type": "ds.search",
"options": {
"query": "index=_telemetry (host=*.*splunk*.* NOT host=sh*.*splunk*.*) source=*license_usage_summary.log* TERM(\"type=RolloverSummary\") \n| rex field=_raw \"^(?<timestring>\\d\\d-\\d\\d-\\d{4}\\s\\d\\d:\\d\\d:\\d\\d.\\d{3}\\s\\+\\d{4})\" \n| eval _time=strptime(timestring,\"%m-%d-%Y %H:%M:%S.%N%z\") \n| eval z=strftime(now(),\"%z\") \n| eval m=substr(z,-2) \n| eval h=substr(z,2,2) \n| eval mzone=if(z != 0, ((h*60)+m)*(z/abs(z)), 0) \n| eval min_to_utc=-1440-mzone \n| eval rel_time=min_to_utc.\"m\" \n| eval _time=relative_time(_time, rel_time) \n| bin _time span=1d \n| eval slave=if(isnull(slave), \"unknown\", slave)\n| stats latest(b) AS b by slave, pool, _time \n| timechart span=1d sum(b) AS \"volume\" fixedrange=true \n| eval GB=round(volume/1024/1024/1024, 2) \n| stats values(*) as * by _time \n| fields - volume \n| stats avg(GB) as avg_GB \n| eval avg_GB=round(avg_GB, 2)"
},
"name": "stack_ingest"
},
"ds_CMiUQzG8_ds_HvTFWH2P": {
"type": "ds.search",
"options": {
"query": "(index=_cmc_summary OR index=summary) source=\"splunk-svc-search-attribution\" svc_usage=*\n | fields svc_usage svc_consumer svc_consumption_score search_type search_app search_label search_user search_head_names unified_sid process_type\n | fillnull value=\"\" svc_consumer process_type search_provenances search_type search_app search_label search_user unified_sid search_modes labels search_head_names usage_source\n\n | stats max(svc_usage) as utilized_svc by _time svc_consumer search_type search_app search_label search_user search_head_names unified_sid process_type\n | bucket _time span=1h\n | stats sum(utilized_svc) as svc by _time, search_app\n | eval search_app=if(isnull(search_app) OR search_app=\"\", \"NA\", search_app)\n | eventstats sum(svc) as total_svc by _time\n \n | eval pct=svc/total_svc*100\n | search search_app=\"trackme\"\n \n | fields _time search_app pct\n | stats avg(pct) as avg_pct, perc95(pct) as perc95\n"
},
"name": "trackme_pct_single"
},
"ds_ra2AYETO": {
"type": "ds.chain",
"options": {
"extend": "ds_CMiUQzG8_ds_HvTFWH2P",
"query": "| fields avg_pct"
},
"name": "single_pct_avg"
},
"ds_w5uhHl8D": {
"type": "ds.chain",
"options": {
"extend": "ds_CMiUQzG8_ds_HvTFWH2P",
"query": "| fields perc95"
},
"name": "single_pct_perc95"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
}
}
}
},
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "-30d@d,@d"
},
"title": "Global Time Range"
}
},
"layout": {
"type": "absolute",
"options": {
"display": "auto-scale",
"height": 1200
},
"structure": [
{
"item": "viz_wEwqDRvv",
"type": "block",
"position": {
"x": 0,
"y": 130,
"w": 1200,
"h": 310
}
},
{
"item": "viz_CL7Yd48d",
"type": "block",
"position": {
"x": 240,
"y": 10,
"w": 270,
"h": 120
}
},
{
"item": "viz_3dm54Wnf",
"type": "block",
"position": {
"x": 0,
"y": 480,
"w": 1200,
"h": 300
}
},
{
"item": "viz_8NRmlyOE",
"type": "block",
"position": {
"x": 0,
"y": 900,
"w": 1200,
"h": 300
}
},
{
"item": "viz_us5aI0OR",
"type": "block",
"position": {
"x": 670,
"y": 10,
"w": 270,
"h": 120
}
},
{
"item": "viz_rN1Rglnc",
"type": "block",
"position": {
"x": 290,
"y": 790,
"w": 270,
"h": 120
}
},
{
"item": "viz_fGOeP9lm",
"type": "block",
"position": {
"x": 600,
"y": 790,
"w": 270,
"h": 120
}
}
],
"globalInputs": [
"input_global_trp"
]
},
"description": "",
"title": "TrackMe SVC usage stack"
}
]]> </definition>
<meta type="hiddenElements"><![CDATA[
{
"hideEdit": false,
"hideOpenInSearch": false,
"hideExport": false
}
]]> </meta>
</dashboard>
Reference in new issue View Git Blame Copy Permalink