Skip to content

Instantly share code, notes, and snippets.

@sworisbreathing

sworisbreathing/splunk-performance-dashboard.xml

Created October 2, 2014 00:27
Show Gist options
  • Save sworisbreathing/524d25e8abd357c242d5 to your computer and use it in GitHub Desktop.
Save sworisbreathing/524d25e8abd357c242d5 to your computer and use it in GitHub Desktop.
Download ZIP
Splunk Performance Dashboard - screenshot available at http://imgur.com/MBGeYmQ
Raw
splunk-performance-dashboard.xml
<form>
<label>Splunk Performance</label>
<description />
<fieldset submitButton="true">
<input type="time" searchWhenChanged="false" token="time_range">
<label>Time Range</label>
<default>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
<input type="multiselect" searchWhenChanged="false" token="server_role_filter">
<label>Server Role</label>
<choice value="*">All</choice>
<populatingSearch earliest="$earliest$" latest="$latest$" fieldForLabel="server_role" fieldForValue="server_role">| inputlookup splunk_servers_cache</populatingSearch>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>server_role="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>CPU by Host - Splunkd</title>
<searchString>index=sos sourcetype="ps" | lookup local=true splunk_servers_cache sos_server AS host OUTPUT server_role AS server_role | search $server_role_filter$ | multikv | search COMMAND!="System.Object[]" | eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server") | search type="splunkd server" | bin bins=100 _time as bucket_time | eventstats avg(pctCPU) AS avgCPU by host, PID, bucket_time | dedup host, PID, bucket_time | timechart bins=100 sum(avgCPU) by host</searchString>
<earliestTime>$time_range.earliest$</earliestTime>
<latestTime>$time_range.latest$</latestTime>
<option name="charting.legend.placement">right</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.drilldown">all</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart">line</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisTitleY.text">% CPU</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<fields>["host","source","sourcetype"]</fields>
</chart>
</panel>
<panel>
<chart>
<title>Memory (MB) by Host - Splunkd</title>
<searchString>index=sos sourcetype="ps" | lookup local=true splunk_servers_cache sos_server AS host OUTPUT server_role AS server_role | search $server_role_filter$ | multikv | search COMMAND!="System.Object[]" | eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server") | search type="splunkd server" | eval RSZ_MB=RSZ_KB/1024 | bin bins=100 _time as bucket_time | eventstats avg(RSZ_MB) AS avgMB by host, PID, bucket_time | dedup host, PID, bucket_time | timechart bins=100 sum(avgMB) by host</searchString>
<earliestTime>$time_range.earliest$</earliestTime>
<latestTime>$time_range.latest$</latestTime>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.axisTitleY.text">Usage (MB)</option>
<option name="charting.axisTitleX.text">Time</option>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<title>CPU by Host - Searches</title>
<searchString>index=sos sourcetype="ps" | lookup local=true splunk_servers_cache sos_server AS host OUTPUT server_role AS server_role | search $server_role_filter$ | multikv | search COMMAND!="System.Object[]" | eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server") | search type="searches" | bin bins=100 _time as bucket_time | eventstats avg(pctCPU) AS avgCPU by host, PID, bucket_time | dedup host, PID, bucket_time | timechart bins=100 sum(avgCPU) by host</searchString>
<earliestTime>$time_range.earliest$</earliestTime>
<latestTime>$time_range.latest$</latestTime>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.axisTitleY.text">% CPU</option>
<option name="charting.axisTitleX.text">Time</option>
</chart>
</panel>
<panel>
<chart>
<title>Memory (MB) by Host - Searches</title>
<searchString>index=sos sourcetype="ps" | lookup local=true splunk_servers_cache sos_server AS host OUTPUT server_role AS server_role | search $server_role_filter$ | multikv | search COMMAND!="System.Object[]" | eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server") | search type="searches" | eval RSZ_MB=RSZ_KB/1024 | bin bins=100 _time as bucket_time | eventstats avg(RSZ_MB) AS avgMB by host, PID, bucket_time | dedup host, PID, bucket_time | timechart bins=100 sum(avgMB) by host</searchString>
<earliestTime>$time_range.earliest$</earliestTime>
<latestTime>$time_range.latest$</latestTime>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.axisTitleY.text">Usage (MB)</option>
<option name="charting.axisTitleX.text">Time</option>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<title>CPU by Host - Splunk Web</title>
<searchString>index=sos sourcetype="ps" | lookup local=true splunk_servers_cache sos_server AS host OUTPUT server_role AS server_role | search $server_role_filter$ | multikv | search COMMAND!="System.Object[]" | eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server") | search type="Splunk Web" | bin bins=100 _time as bucket_time | eventstats avg(pctCPU) AS avgCPU by host, PID, bucket_time | dedup host, PID, bucket_time | timechart bins=100 sum(avgCPU) by host</searchString>
<earliestTime>$time_range.earliest$</earliestTime>
<latestTime>$time_range.latest$</latestTime>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.axisTitleY.text">% CPU</option>
<option name="charting.axisTitleX.text">Time</option>
</chart>
</panel>
<panel>
<chart>
<title>Memory (MB) by Host - Splunk Web</title>
<searchString>index=sos sourcetype="ps" | lookup local=true splunk_servers_cache sos_server AS host OUTPUT server_role AS server_role | search $server_role_filter$ | multikv | search COMMAND!="System.Object[]" | eval type=case(like(ARGS, "%search%"),"searches",like(ARGS, "%root.py_%start%") OR like(COMMAND, "%splunkweb%") OR (like(COMMAND,"%python%") AND like(ARGS,"%appserver%")), "Splunk Web",like(ARGS,"%-p_%start%") OR (like(COMMAND,"%splunkd%") AND like(ARGS, "service")),"splunkd server") | search type="Splunk Web" | eval RSZ_MB=RSZ_KB/1024 | bin bins=100 _time as bucket_time | eventstats avg(RSZ_MB) AS avgMB by host, PID, bucket_time | dedup host, PID, bucket_time | timechart bins=100 sum(avgMB) by host</searchString>
<earliestTime>$time_range.earliest$</earliestTime>
<latestTime>$time_range.latest$</latestTime>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.axisTitleY.text">Usage (MB)</option>
<option name="charting.axisTitleX.text">Time</option>
</chart>
</panel>
</row>
</form>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment