Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

Dashboard

Deployed application status

Dashboards

Description

Submitted by manderso

Created this dashboard to see when or if an application was deployed successfully. Close to splunkninja's query, this will also show if the host in question also restarted to apply the new app.  
1 1 
<form>
  <label>Deployed Applications</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="loglevelpicker" searchWhenChanged="true">
      <label>Log Level</label>
      <choice value="INFO">INFO</choice>
      <choice value="WARN*">WARNING</choice>
      <choice value="ERROR">ERROR</choice>
      <default>INFO,WARN*,ERROR</default>
      <valuePrefix>log_level=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="hostpicker">
      <label>Host</label>
      <choice value="*">All</choice>
      <default>*</default>
      <valuePrefix>host=</valuePrefix>
      <delimiter> OR </delimiter>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=DeployedApplication
| stats count by host</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="multiselect" token="apppicker" searchWhenChanged="true">
      <label>Application</label>
      <choice value="*">All</choice>
      <valuePrefix>*</valuePrefix>
      <valueSuffix>*</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>applicationx</fieldForLabel>
      <fieldForValue>applicationx</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=DeployedApplication
| rex field=file "var(\/|\\\\)run(\/|\\\\)\w+(\/|\\\\)(?<app2>\w+)-" 
| rex field=message "(etc|run)(\/|\\\\)(apps|\w+)(\/|\\\\)(?<app3>\w+)-\d+\.bundle" 
| rex field=message "etc(\/|\\\\)apps(\/|\\\\)(?<app5>[^\/|\\\\|']+)" 
| eval applicationx=coalesce(app,app2,app3,app5,application) 
| stats count by applicationx 
| fields - count</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=DeployedApplication $loglevelpicker$ $hostpicker$ $apppicker$
| table _time host app log_level event_message 
| sort - _time</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Last restart time</title>
      <event>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=INFO $hostpicker$ component=loader event_message="Splunkd starting*"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">0</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

Comments

3 total

DR
Drew
5/10/2021

Like it a lot, but quick question. There are duplicated applications in the app picker, with a '.' at the end of one. eg.\r\n\r\nSplunk_TA_windows\r\nSplunk_TA_windows.\r\n\r\nThis seems to be the default results when just looking at the 'app' field after running the basic query index=_internal sourcetype=splunkd component=DeployedApplication\r\n\r\nCan these be excluded from the search or are they needed app!=\"*.\" ? They do show slightly different results/percentages int he app field.

MA
manderso Author
5/12/2021

Yeah, I didn't try to exclude them, as they gave slightly different results than the apps w/out the \".\". Let me know how it works for you if you exclude them.

CH
Christopher J Boillot
6/4/2021

Hmm, I am not getting 'Host' or \"Application' to populate.

Leave a comment

You must log in to post a comment.

Ad slot: bottom