Skip to content

Commit

Permalink
fix: fix SC4S Dashboard (#2350)
Browse files Browse the repository at this point in the history
  • Loading branch information
mstopa-splunk authored Apr 17, 2024
1 parent 9492940 commit fe39a16
Showing 1 changed file with 22 additions and 22 deletions.
44 changes: 22 additions & 22 deletions dashboard/dashboard.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
<query>
| mstats
max("spl.sc4syslog.center.received.processed")
max("spl.sc4syslog.source.processed")
max("spl.sc4syslog.dst.dropped")
max("spl.sc4syslog.dst.queued")
prestats=true
Expand All @@ -19,8 +18,7 @@
</search>
<search id="baseEventsSearch">
<query>
index=* sc4s_container=$sc4s_instance$
| stats count by _time index sc4s_tags
index=* sc4s_container=$sc4s_instance$
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
Expand Down Expand Up @@ -76,7 +74,7 @@
<chart>
<search base="baseMetricsSearch">
<query>
| timechart max("spl.sc4syslog.source.processed") span=$span$ useother=false BY sc4s_container
| timechart max("spl.sc4syslog.center.received.processed") span=$span$ useother=false BY sc4s_container
WHERE max in top1000
| fields - _span*
</query>
Expand Down Expand Up @@ -241,15 +239,6 @@
<h2>
Messages' metrics
</h2>
<p>
<b>Received</b>: if SC4S receives N events, the chart should return a value of N + 1 for given 30 seconds span.
</p>
<p>
<b>Queued</b>: increases temporarily in case of a connection loss to Splunk or increased system load.
</p>
<p>
<b>Dropped</b>: temporarily rises during periods where system load exceeds capacity. This number doesn't include messages dropped on the OS level, for example, from the UDP port buffer.
</p>
<p>The delta is negative at the moment of instance restart.</p>
</html>
</panel>
Expand All @@ -261,13 +250,14 @@
<query>
| search sc4s_container=$sc4s_instance$
| timechart
max("spl.sc4syslog.center.received.processed") AS received
max("spl.sc4syslog.dst.dropped") AS dropped
max("spl.sc4syslog.center.received.processed") AS received_cumulative_sum
max("spl.sc4syslog.dst.dropped") AS dropped_cumulative_sum
max("spl.sc4syslog.dst.queued") AS queued
span=$span$
| delta received as received
| delta dropped as dropped
| fields - _span*
| delta received_cumulative_sum as received
| delta dropped_cumulative_sum as dropped
| where not (received_cumulative_sum == received AND dropped_cumulative_sum == dropped)
| fields - _span* received_cumulative_sum dropped_cumulative_sum
</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
Expand Down Expand Up @@ -401,8 +391,13 @@
<panel>
<title>Data parsers</title>
<chart>
<search base="baseEventsSearch">
<query>| eval tags=split(sc4s_tags,"|") | mvexpand tags | search tags=".app.*" | timechart count by tags</query>
<search>
<query>
index=* sc4s_container=$sc4s_instance$ | eval tags=split(sc4s_tags,"|") | mvexpand tags | search tags=".app.*" | timechart count by tags
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
Expand Down Expand Up @@ -442,8 +437,13 @@
<panel>
<title>Tags</title>
<table>
<search base="baseEventsSearch">
<query>| eval tags=split(sc4s_tags,"|") | mvexpand tags | chart count by tags</query>
<search>
<query>
index=* sc4s_container=$sc4s_instance$ | eval tags=split(sc4s_tags,"|") | mvexpand tags | chart count by tags
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
</table>
Expand Down

0 comments on commit fe39a16

Please sign in to comment.