NIX Debian Package (dpkg.log) Dashboard

Description:

Wanted a dashboard that would provide information around package information across my Ubuntu servers.  At this time I have only built this dashboard to review the “dpkg.log”.

In an attempt to help people understand how I build dashboard, posted a video on YouTube where you can follow along while I build this dashboard out:

Building a Classic Dashboard in Splunk – https://youtu.be/NMfv-nx_5mE

In order to use this dashboard you will need validate the field names used in the searches are created.  In my environment I am using the “Splunk Add-on for Unix & Linux” to collect all log files from “/var/log”.  However the “Splunk Add-on for Unix & Linux” does not provide the proper entries in the props/transforms to create fields for the “dpkg.log”.

I have recorded a YouTube video that walks-through how to configure field extraction on the “dpkg.log”

Splunk Field Extraction Walkthrough – https://youtu.be/YdM0rZdXJJI

This is my first version of the dashboard and may not be my last version.

This Add-on is not required, but is used to collect the dpkg.log from /var/log:

Splunk Add-on for Unix & Linux – https://splunkbase.splunk.com/app/833/

Dashboard:

<form version="1.1" theme="dark">
  <label>NIX Package info</label>
  <fieldset submitButton="false">
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=nix source IN(/var/log/dpkg.log) 
| stats count by action</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="action1">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Reviewing action = $action1$</title>
      <table>
        <search>
          <query>index=nix source IN(/var/log/dpkg.log) action="$action1$" | fillnull value=check_raw_logs package
| stats values(host) as host count by package</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="package1">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Reviewing action = $package1$</title>
      <input type="multiselect" token="host1">
        <label>Host Selection</label>
        <fieldForLabel>host</fieldForLabel>
        <fieldForValue>host</fieldForValue>
        <search>
          <query>index=nix source IN(/var/log/dpkg.log) package="$package1$"
| stats count by host</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
        </search>
        <choice value="*">All</choice>
        <default>*</default>
        <prefix>host IN(</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>, </delimiter>
      </input>
      <event>
        <search>
          <query>index=nix source IN(/var/log/dpkg.log) package="$package1$" $host1$</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>
Share This:
Tagged:

Leave A Comment?