Traffic Lights on Splunk Dashboards

By 30 August 2016Tech Tips

resources-traffic-lights-600x100
Combining metrics for executive dashboards

By Mohit Dewan, Avocado Consultant

For an Executive Dashboard the focus should always be on creating as few dashboard elements as possible to minimise clutter while at the same time conveying the maximum amount of information.

Traffic lights can be a great fit for this purpose because they have finite states, i.e. red, amber and green, and it is possible to aggregate multiple metrics in to a single element.

Splunk, at the time of writing this article (v 6.4.2), does not provide a traffic light visualisation on dashboards out of the box however we can, pretty easily, use the Single Value visualisation to create something like this:

Single value dashboard visualisation

Here we have separate metrics that each have their own thresholds and different units.

The first task is to combine these into a single search. We’ll use the join function to do this:

Combining metrics

Now we need to combine these metrics into a new artificial metric and set thresholds. We can do this using the eval function:

Using the eval function to combine metrics into a new artificial metric.

Note that our new metric infraScore will always reflect the worst child of the metrics that make it up.

We could dashboard our new metric as a Single Value element, but this might not look very pretty or make much sense:

Dashboarding our new mtric

initial new metric dashboarding result

Instead, what we will do is apply the rangemap function which will later allow us to do some style sheet manipulations.

Apply the rangemap functionEdit style sheets after applying the rangemap function

Now if we tweak the style sheet we can do something like this:

Tweak the style sheet.

The icon set:

The icon set

But those 3D icons are so naughties… Some newer icons and some more style sheet tweaks:

Creating new icon sets with style sheets

This is better but may still not be simple enough to understand on an Executive dashboard. Some more tweaking of the style sheet:

The executive dashboard

Now we have single element on the dashboard called Infrastructure which will change colour between green, amber and red if any one of its underlying metrics crosses its threshold.

This element is simple and easy to understand at a glance. We can now delete the individual metric indicators from the dashboard leaving just our new element.

Although not in scope of this article it would be a good idea and good practice to provide a drill down on our new element so that when there is a problem, a user can click on the element to investigate its cause in more detail.

Happy Splunk Dashboarding!

Related Posts