From fe39a163c9e836689f843089097f613b5e1a9602 Mon Sep 17 00:00:00 2001
From: mstopa-splunk <139441697+mstopa-splunk@users.noreply.github.com>
Date: Wed, 17 Apr 2024 10:05:55 +0200
Subject: [PATCH] fix: fix SC4S Dashboard (#2350)

---
 dashboard/dashboard.xml | 44 ++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/dashboard/dashboard.xml b/dashboard/dashboard.xml
index a4dc15ad16..88382ff68f 100644
--- a/dashboard/dashboard.xml
+++ b/dashboard/dashboard.xml
@@ -5,7 +5,6 @@
     <query>
       | mstats 
       max("spl.sc4syslog.center.received.processed")
-      max("spl.sc4syslog.source.processed")
       max("spl.sc4syslog.dst.dropped")
       max("spl.sc4syslog.dst.queued")
       prestats=true
@@ -19,8 +18,7 @@
   </search>
   <search id="baseEventsSearch">
     <query>
-    index=* sc4s_container=$sc4s_instance$ 
-    | stats count by _time index sc4s_tags
+    index=* sc4s_container=$sc4s_instance$
     </query>
     <earliest>$time_range.earliest$</earliest>
     <latest>$time_range.latest$</latest>
@@ -76,7 +74,7 @@
       <chart>
         <search base="baseMetricsSearch">
           <query>
-            | timechart max("spl.sc4syslog.source.processed") span=$span$ useother=false BY sc4s_container
+            | timechart max("spl.sc4syslog.center.received.processed") span=$span$ useother=false BY sc4s_container
             WHERE max in top1000
             | fields - _span*
           </query>
@@ -241,15 +239,6 @@
         <h2>
         Messages' metrics
         </h2>
-        <p>
-            <b>Received</b>: if SC4S receives N events, the chart should return a value of N + 1 for given 30 seconds span.
-        </p>
-        <p>
-            <b>Queued</b>: increases temporarily in case of a connection loss to Splunk or increased system load.
-        </p>
-        <p>
-            <b>Dropped</b>: temporarily rises during periods where system load exceeds capacity. This number doesn't include messages dropped on the OS level, for example, from the UDP port buffer.
-        </p>
         <p>The delta is negative at the moment of instance restart.</p>
       </html>
     </panel>
@@ -261,13 +250,14 @@
           <query>
             | search sc4s_container=$sc4s_instance$
             | timechart
-            max("spl.sc4syslog.center.received.processed") AS received
-            max("spl.sc4syslog.dst.dropped") AS dropped 
+            max("spl.sc4syslog.center.received.processed") AS received_cumulative_sum
+            max("spl.sc4syslog.dst.dropped") AS dropped_cumulative_sum
             max("spl.sc4syslog.dst.queued") AS queued
             span=$span$
-            | delta received as received
-            | delta dropped as dropped
-            | fields - _span*
+            | delta received_cumulative_sum as received
+            | delta dropped_cumulative_sum as dropped
+            | where not (received_cumulative_sum == received AND dropped_cumulative_sum == dropped)
+            | fields - _span* received_cumulative_sum dropped_cumulative_sum
           </query>
         </search>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -401,8 +391,13 @@
     <panel>
       <title>Data parsers</title>
       <chart>
-        <search base="baseEventsSearch">
-          <query>| eval tags=split(sc4s_tags,"|") | mvexpand tags | search tags=".app.*" | timechart count by tags</query>
+        <search>
+          <query>
+          index=* sc4s_container=$sc4s_instance$ | eval tags=split(sc4s_tags,"|") | mvexpand tags | search tags=".app.*" | timechart count by tags
+          </query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+          <sampleRatio>1</sampleRatio>
         </search>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
         <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
@@ -442,8 +437,13 @@
     <panel>
       <title>Tags</title>
       <table>
-        <search base="baseEventsSearch">
-          <query>| eval tags=split(sc4s_tags,"|") | mvexpand tags | chart count by tags</query>
+        <search>
+          <query>
+          index=* sc4s_container=$sc4s_instance$ | eval tags=split(sc4s_tags,"|") | mvexpand tags | chart count by tags
+          </query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+          <sampleRatio>1</sampleRatio>
         </search>
         <option name="drilldown">none</option>
       </table>