From bdeeaab2152c00655119bd01692fa2a528c2c1ca Mon Sep 17 00:00:00 2001
From: sbylica-splunk <sbylica@splunk.com>
Date: Mon, 3 Jun 2024 11:22:21 +0200
Subject: [PATCH 1/3] Added a dashboard POC

---
 dashboards/dashboard.xml | 269 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 269 insertions(+)
 create mode 100644 dashboards/dashboard.xml

diff --git a/dashboards/dashboard.xml b/dashboards/dashboard.xml
new file mode 100644
index 00000000..12bcc296
--- /dev/null
+++ b/dashboards/dashboard.xml
@@ -0,0 +1,269 @@
+<form version="1.1" theme="dark" hideEdit="false">
+  <label>PCF dashboard POC</label>
+  <fieldset submitButton="false"></fieldset>
+  <row>
+    <panel>
+      <title>Event count</title>
+      <chart>
+        <search>
+          <query>index=* sourcetype="cf:*" | timechart  span=10m count </query>
+          <earliest>-24h</earliest>
+          <latest></latest>
+          <refresh>5m</refresh>
+          <refreshType>delay</refreshType>
+        </search>
+        <!--<title>Event count</title>-->
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Distributions of events by index</title>
+      <chart>
+        <search>
+          <query>index=* sourcetype="cf:*" | stats count by index</query>
+          <earliest>0</earliest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.abbreviation">none</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.abbreviation">none</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.abbreviation">none</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">pie</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">default</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.mode">standard</option>
+        <option name="charting.legend.placement">right</option>
+        <option name="charting.lineWidth">2</option>
+        <option name="height">331</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>Total number of PCF events by index</title>
+      <table>
+        <search>
+          <query>index=* sourcetype="cf:*" | chart sparkline(count) AS "Indexes Trend" count AS Total BY index</query>
+          <earliest>0</earliest>
+          <latest></latest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="count">20</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">none</option>
+        <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="rowNumbers">false</option>
+        <option name="totalsRow">false</option>
+        <option name="wrap">true</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Events by sources</title>
+      <input type="time" token="source_time_range" searchWhenChanged="true">
+        <label>Time Range</label>
+        <default>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </default>
+      </input>
+      <chart>
+        <title>Events by source</title>
+        <search>
+          <query>index=* sourcetype="cf:*" | top source</query>
+          <earliest>$source_time_range.earliest$</earliest>
+          <latest>$source_time_range.latest$</latest>
+        </search>
+        <option name="charting.axisY.abbreviation">none</option>
+        <option name="charting.chart">pie</option>
+        <option name="charting.chart.showDataLabels">all</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+     <panel>
+      <title>Events by sourcetype</title>
+      <input type="time" token="source_time_range" searchWhenChanged="true">
+        <label>Time Range</label>
+        <default>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </default>
+      </input>
+      <chart>
+        <title>Events by sourcetype</title>
+        <search>
+          <query>index=* sourcetype="cf:*" | top sourcetype</query>
+          <earliest>$source_time_range.earliest$</earliest>
+          <latest>$source_time_range.latest$</latest>
+        </search>
+        <option name="charting.axisY.abbreviation">none</option>
+        <option name="charting.chart">pie</option>
+        <option name="charting.chart.showDataLabels">all</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Internal Splunk errors count</title>
+      <chart>
+        <search>
+          <query>index=_internal component=HttpInputDataHandler (log_level="WARN" OR log_level="ERROR") | timechart  span=10m count </query>
+          <earliest>-24h</earliest>
+          <latest></latest>
+          <refresh>5m</refresh>
+          <refreshType>delay</refreshType>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>Internal Splunk errors sample</title>
+      <table>
+        <search>
+          <query>index=_internal component=HttpInputDataHandler (log_level="WARN" OR log_level="ERROR") | table name,parsing_err</query>
+          <earliest>0</earliest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+      </table>
+    </panel>
+  </row>
+  
+  <row>
+    <panel>
+      <title>Nozzle errors count</title>
+      <chart>
+        <search>
+          <query>index=* sourcetype="cf:splunknozzle" message="*error*" | timechart  span=10m count </query>
+          <earliest>-24h</earliest>
+          <latest></latest>
+          <refresh>5m</refresh>
+          <refreshType>delay</refreshType>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>Nozzle errors sample</title>
+      <table>
+        <search>
+          <query>index=* sourcetype="cf:splunknozzle" message="*error*" | table source,logger_source,message</query>
+          <earliest>0</earliest>
+          <sampleRatio>1</sampleRatio>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="trellis.enabled">0</option>
+        <option name="trellis.scales.shared">1</option>
+        <option name="trellis.size">medium</option>
+      </table>
+    </panel>
+  </row>
+  
+  <row>
+    <panel>
+      <title>Nozzle CPU usage</title>
+      <chart>
+        <search>
+          <query>| mstats avg("nozzle.usage.cpu") prestats=true WHERE "index"="pcf_metrics" span=10s | timechart avg("nozzle.usage.cpu") AS Avg span=10s | fields - _span* </query>
+          <earliest>-1h</earliest>
+          <latest></latest>
+          <refresh>5m</refresh>
+          <refreshType>delay</refreshType>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+  
+  <row>
+    <panel>
+      <title>Nozzle RAM usage</title>
+      <chart>
+        <search>
+          <query>| mstats avg("nozzle.usage.ram") prestats=true WHERE "index"="pcf_metrics" span=10s | timechart avg("nozzle.usage.ram") AS Avg span=10s | fields - _span* </query>
+          <earliest>-1h</earliest>
+          <latest></latest>
+          <refresh>5m</refresh>
+          <refreshType>delay</refreshType>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+  
+  <row>
+    <panel>
+      <title>Nozzle events sent</title>
+      <chart>
+        <search>
+          <query>  | mstats rate_avg("firehose.events.received.count") as "Rate (Avg) /s" chart=true WHERE "index"="pcf_metrics" span=30s | fields - _span* </query>
+          <earliest>-1h</earliest>
+          <latest></latest>
+          <refresh>5m</refresh>
+          <refreshType>delay</refreshType>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>Nozzle events dropped</title>
+      <chart>
+        <search>
+          <query>  | mstats rate_avg("firehose.events.dropped.count") as "Rate (Avg) /s" chart=true WHERE "index"="pcf_metrics" span=30s | fields - _span* </query>
+          <earliest>-1h</earliest>
+          <latest></latest>
+          <refresh>5m</refresh>
+          <refreshType>delay</refreshType>
+        </search>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+
+  
+</form>
\ No newline at end of file

From 1d549f1edb1101a6d34ae21a88dd41ae6162f953 Mon Sep 17 00:00:00 2001
From: sbylica-splunk <sbylica@splunk.com>
Date: Mon, 1 Jul 2024 14:13:01 +0200
Subject: [PATCH 2/3] Cleanup of a dashboard

---
 dashboards/dashboard.xml | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/dashboards/dashboard.xml b/dashboards/dashboard.xml
index 12bcc296..1d4d60db 100644
--- a/dashboards/dashboard.xml
+++ b/dashboards/dashboard.xml
@@ -1,4 +1,4 @@
-<form version="1.1" theme="dark" hideEdit="false">
+<form version="1.1" hideEdit="false">
   <label>PCF dashboard POC</label>
   <fieldset submitButton="false"></fieldset>
   <row>
@@ -12,7 +12,6 @@
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
-        <!--<title>Event count</title>-->
         <option name="charting.chart">line</option>
         <option name="charting.drilldown">none</option>
         <option name="refresh.display">progressbar</option>
@@ -52,14 +51,7 @@
         <option name="charting.drilldown">none</option>
         <option name="charting.layout.splitSeries">0</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
-        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
-        <option name="charting.legend.mode">standard</option>
-        <option name="charting.legend.placement">right</option>
         <option name="charting.lineWidth">2</option>
-        <option name="height">331</option>
-        <option name="trellis.enabled">0</option>
-        <option name="trellis.scales.shared">1</option>
-        <option name="trellis.size">medium</option>
       </chart>
     </panel>
     <panel>

From 05f6b5be5feaa04b2a4d693a782873398495341e Mon Sep 17 00:00:00 2001
From: sbylica-splunk <sbylica@splunk.com>
Date: Mon, 1 Jul 2024 14:14:59 +0200
Subject: [PATCH 3/3] fixed typo

---
 dashboards/dashboard.xml | 118 ++++++++++++++++++++-------------------
 1 file changed, 60 insertions(+), 58 deletions(-)

diff --git a/dashboards/dashboard.xml b/dashboards/dashboard.xml
index 1d4d60db..af5318e7 100644
--- a/dashboards/dashboard.xml
+++ b/dashboards/dashboard.xml
@@ -1,14 +1,32 @@
 <form version="1.1" hideEdit="false">
-  <label>PCF dashboard POC</label>
-  <fieldset submitButton="false"></fieldset>
+  <label>PCF dashboard</label>
+  <fieldset submitButton="false">
+    <input type="time" token="main_time_range" searchWhenChanged="true">
+      <label>Time range</label>
+      <default>
+        <earliest>-24h@h</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+    <input type="text" token="index_token" searchWhenChanged="true">
+      <label>Index</label>
+      <default>*</default>
+      <initialValue>*</initialValue>
+    </input>
+    <input type="text" token="metrics_index_token" searchWhenChanged="true">
+      <label>Metrics index</label>
+      <default>*</default>
+      <initialValue>*</initialValue>
+    </input>
+  </fieldset>
   <row>
     <panel>
       <title>Event count</title>
       <chart>
         <search>
-          <query>index=* sourcetype="cf:*" | timechart  span=10m count </query>
-          <earliest>-24h</earliest>
-          <latest></latest>
+          <query>index=$index_token$ sourcetype="cf:*" | timechart  span=10m count </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
@@ -23,8 +41,9 @@
       <title>Distributions of events by index</title>
       <chart>
         <search>
-          <query>index=* sourcetype="cf:*" | stats count by index</query>
-          <earliest>0</earliest>
+          <query>index=$index_token$ sourcetype="cf:*" | stats count by index</query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -52,15 +71,16 @@
         <option name="charting.layout.splitSeries">0</option>
         <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
         <option name="charting.lineWidth">2</option>
+        <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
     <panel>
       <title>Total number of PCF events by index</title>
       <table>
         <search>
-          <query>index=* sourcetype="cf:*" | chart sparkline(count) AS "Indexes Trend" count AS Total BY index</query>
-          <earliest>0</earliest>
-          <latest></latest>
+          <query>index=$index_token$ sourcetype="cf:*" | chart sparkline(count) AS "Indexes Trend" count AS Total BY index</query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="count">20</option>
@@ -77,19 +97,12 @@
   <row>
     <panel>
       <title>Events by sources</title>
-      <input type="time" token="source_time_range" searchWhenChanged="true">
-        <label>Time Range</label>
-        <default>
-          <earliest>-24h@h</earliest>
-          <latest>now</latest>
-        </default>
-      </input>
       <chart>
         <title>Events by source</title>
         <search>
-          <query>index=* sourcetype="cf:*" | top source</query>
-          <earliest>$source_time_range.earliest$</earliest>
-          <latest>$source_time_range.latest$</latest>
+          <query>index=$index_token$ sourcetype="cf:*" | top source</query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
         </search>
         <option name="charting.axisY.abbreviation">none</option>
         <option name="charting.chart">pie</option>
@@ -99,21 +112,14 @@
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
-     <panel>
+    <panel>
       <title>Events by sourcetype</title>
-      <input type="time" token="source_time_range" searchWhenChanged="true">
-        <label>Time Range</label>
-        <default>
-          <earliest>-24h@h</earliest>
-          <latest>now</latest>
-        </default>
-      </input>
       <chart>
         <title>Events by sourcetype</title>
         <search>
-          <query>index=* sourcetype="cf:*" | top sourcetype</query>
-          <earliest>$source_time_range.earliest$</earliest>
-          <latest>$source_time_range.latest$</latest>
+          <query>index=$index_token$ sourcetype="cf:*" | top sourcetype</query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
         </search>
         <option name="charting.axisY.abbreviation">none</option>
         <option name="charting.chart">pie</option>
@@ -130,8 +136,8 @@
       <chart>
         <search>
           <query>index=_internal component=HttpInputDataHandler (log_level="WARN" OR log_level="ERROR") | timechart  span=10m count </query>
-          <earliest>-24h</earliest>
-          <latest></latest>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
@@ -144,8 +150,9 @@
       <title>Internal Splunk errors sample</title>
       <table>
         <search>
-          <query>index=_internal component=HttpInputDataHandler (log_level="WARN" OR log_level="ERROR") | table name,parsing_err</query>
-          <earliest>0</earliest>
+          <query>index=_internal component=HttpInputDataHandler (log_level="WARN" OR log_level="ERROR") | table name,parsing_err | stats count by name,parsing_err </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="drilldown">none</option>
@@ -155,15 +162,14 @@
       </table>
     </panel>
   </row>
-  
   <row>
     <panel>
       <title>Nozzle errors count</title>
       <chart>
         <search>
-          <query>index=* sourcetype="cf:splunknozzle" message="*error*" | timechart  span=10m count </query>
-          <earliest>-24h</earliest>
-          <latest></latest>
+          <query>index=$index_token$ sourcetype="cf:splunknozzle" message="*error*" | timechart  span=10m count </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
@@ -176,8 +182,9 @@
       <title>Nozzle errors sample</title>
       <table>
         <search>
-          <query>index=* sourcetype="cf:splunknozzle" message="*error*" | table source,logger_source,message</query>
-          <earliest>0</earliest>
+          <query>index=$index_token$ sourcetype="cf:splunknozzle" message="*error*" | table source,logger_source,message | stats count by source,logger_source,message </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="drilldown">none</option>
@@ -187,15 +194,14 @@
       </table>
     </panel>
   </row>
-  
   <row>
     <panel>
       <title>Nozzle CPU usage</title>
       <chart>
         <search>
-          <query>| mstats avg("nozzle.usage.cpu") prestats=true WHERE "index"="pcf_metrics" span=10s | timechart avg("nozzle.usage.cpu") AS Avg span=10s | fields - _span* </query>
-          <earliest>-1h</earliest>
-          <latest></latest>
+          <query>| mstats avg("nozzle.usage.cpu") prestats=true WHERE "index"=$metrics_index_token$ span=10s | timechart avg("nozzle.usage.cpu") AS Avg span=10s | fields - _span* </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
@@ -205,15 +211,14 @@
       </chart>
     </panel>
   </row>
-  
   <row>
     <panel>
       <title>Nozzle RAM usage</title>
       <chart>
         <search>
-          <query>| mstats avg("nozzle.usage.ram") prestats=true WHERE "index"="pcf_metrics" span=10s | timechart avg("nozzle.usage.ram") AS Avg span=10s | fields - _span* </query>
-          <earliest>-1h</earliest>
-          <latest></latest>
+          <query>| mstats avg("nozzle.usage.ram") prestats=true WHERE "index"=$metrics_index_token$ span=10s | timechart avg("nozzle.usage.ram") AS Avg span=10s | fields - _span* </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
@@ -223,15 +228,14 @@
       </chart>
     </panel>
   </row>
-  
   <row>
     <panel>
       <title>Nozzle events sent</title>
       <chart>
         <search>
-          <query>  | mstats rate_avg("firehose.events.received.count") as "Rate (Avg) /s" chart=true WHERE "index"="pcf_metrics" span=30s | fields - _span* </query>
-          <earliest>-1h</earliest>
-          <latest></latest>
+          <query>  | mstats rate_avg("firehose.events.received.count") as "Rate (Avg) /s" chart=true WHERE "index"=$metrics_index_token$ span=30s | fields - _span* </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
@@ -244,9 +248,9 @@
       <title>Nozzle events dropped</title>
       <chart>
         <search>
-          <query>  | mstats rate_avg("firehose.events.dropped.count") as "Rate (Avg) /s" chart=true WHERE "index"="pcf_metrics" span=30s | fields - _span* </query>
-          <earliest>-1h</earliest>
-          <latest></latest>
+          <query>  | mstats rate_avg("firehose.events.dropped.count") as "Rate (Avg) /s" chart=true WHERE "index"=$metrics_index_token$ span=30s | fields - _span* </query>
+          <earliest>$main_time_range.earliest$</earliest>
+          <latest>$main_time_range.latest$</latest>
           <refresh>5m</refresh>
           <refreshType>delay</refreshType>
         </search>
@@ -256,6 +260,4 @@
       </chart>
     </panel>
   </row>
-
-  
 </form>
\ No newline at end of file