SPLK-1002 Splunk Core Certified Power User – Splunk Inbuilt & Advanced Visualizations Part 5

  1. Rest of the default Visualtization in Splunk

Go back to select Visualization next to your search icon and choose Filter Gauge. As you can see we have a limit which was set as part of our radial gauge from zero to 400. So it is up to in our appreciable range of blue. We can change the colors in a similar fashion where you can choose for at visualization color ranges and choose whichever colors you would like.

This should be able to give you a filter range in case if you want to change this range, you can set this range. If you want to delete a range, you can delete a range. As you can see the visualization changes as per your customization. So that is our filter gauge. Now let us see our marker gauge. The marker gauge somewhat similar to filter gauge but it has a marker that continuously moves along with your event value.

We have close to 10 5000 events so it is in between 80 and 120. So it gives us some visualization which can be used in some of the use cases depending upon the criteria. These are some of the three gauges which can be as part of your single value visualization. So this single value visualization let’s say I need to change the colors behind the background or I can change color of the value. Go to Visualization sorry format visualization color option where you can set your color options based on whichever is required.

Say zero to should be green, 100 to 200k should be orange. As you can see in the background the color has already changed so anything greater than that is red. In case if you want to just change the text color, select the color mode below your format visualization which should change the colors accordingly. This is how you visualize a radial filter or a marker gauge. Now in the same edit mode, let us see some more examples. That is for bar chart, column chart or pie chart.

As you can see this is a bar chart where the visualization are represented with the help of x and y axis. If I want to convert this as a column chart, select Visualization. Choose the pie chart option. So as you can see the same values are represent on different axes. Similarly if I want this to be a pie chart you can select it pie chart so that the visualization suits whichever selected by the user for the same data. So these are some of the visualization and some of the rarely used visualization which adds more value depending on the scenario where you are using it.

This is a scatter chart where it displays the count with respect to the status quo. There are more number of 200 which shows our environment is in good health and we see a lot of four and 40 one which are a sign of concern. As you can see, the concern is a little bit lesser compared to our environment health, which seems to be okay and acceptable limits just a typical representation of a bubble chart where all the values are represented by the size of the bubble represents the quantity and the position of the bubble also represents the value.

How differ it from the least available values? The next visualization in our discussion is line and area chart. As you can see these are some of the statistics for our tutorial data. Since our tutorial data is not continuous, we have the events just on July 9 to July 15. From starting from July 8 we have one week of data, after that there is nothing else. So in case if you are expecting an outage or investigating on an outage situation, they should be able to give you a clear picture what all the services were up or down. So you can choose a line chart to better represent the downtime window.

In this scenario you can change the line graph to area by choosing the select visualization option. So these are like synonyms you can use whichever comfortable or whichever you feel like adds more value to the current situation. Similarly, we have one more chart that is scatter. This is similar to your bar or column chart where the only representation is by scattering the values just at one place. That is even though all the values exist for that time but it has been scattered based on the quantity rather than representation of full line.

The next one is geolocation, which has been used widely for locating the visitors or troublesome ips or a threat IP attack sources, advertisement campaigns and the user base. This can be used in many scenarios depending upon the use case you are working on. So for this the only requirement is you need to have the geolocation information as part of your logs, that is latitude and longitude information as part of your logs or in public IP address which can resolve into latitude and longitude information’s.

So these are some of the inbuilt visualization which are as part of splunk. In our more advanced tutorials we will see how we can add our own custom visualization like a traffic flow or a user journey behavior, how these kind of graphs with continuous flow can be added and much more customization can be done as part of dashboards in our further discussions.

  1. Editing XML for Dashboards

In this video we will be seeing how to edit a dashboard using xml or dashboard source. In order to edit a dashboard using xml or creating a panel using xml, we need to understand couple of elements which are required for editing a dashboard. Those will be row elements and how tokens are used inside a dashboard. What are panel elements? And each panel element will have multiple option elements. We’ll see them all these elements as part of our editing xml. For the demonstration, we’ll be looking at one of the dashboards that we have created as part of our previous videos.

I’ll go to dashboards on our searcher. I’ll click on demo. That is the previous dashboards that we have created as part of our initial dashboard understanding video. So as you can see, there are multiple panels, multiple filters, and there are a lot of tokens usage in this dashboard. So this will be a best fit for understanding how to edit an xml. Let me get into edit mode of my dashboard. I’ll go to source of this dashboard. This is how a typical xml looks. Let me copy this where I can minimize based on the tags. As you can see, this is how the xml we have.

So we have a form tag which encloses everything inside the dashboard. That is our parent tag. There is a field set. This is for your submit button. It does nothing but resubmits. Whenever there is a change in value of these fields, I’ve edited some field and if I click on submit it reloads. So this is how these fields or the submit field set tag works. This is our submit button. Similarly, this is our time enclosed under input tag. As you can see, we have one for time, one for text box and one for drop down. So we have three tags that are xml starting with input.

These holes are filters. Once the filters are set, it is enclosed under field set which includes our submit button. So that any change in these inputs and click on submit the entire dashboard reloads. So the next element in our xml is the row element. The row element is nothing, but this is the row element. This represents these three panels are in a single row. We’ll be able to see inside a row element. There will be multiple panel. So this is our first panel. That is column chart example. As you can see, this is the title. This is the panel title. This is the title of our first panel and query is the tab where it will hold the complete query that has been used to generate this visualization or statistics. In our first row, we have three panel tags. One, two and three.

So these are the three panels which are enclosed as part of our row tag. We will see one panel which holds title and the chart tag is the one which is representing what color it looks and how the scaling is defined, whether it’s linear or it’s logarithmic scale, and how these fields are displayed. In xml you will get more editing options which are less visible for a plain side and you’ll be able to see all these options as part of your xml editing where you can overwrite all this configuration.

Let’s go back to our xml. Yes. As you can see these options of a chart tag. These options represent how the x axis looks, how the y axis looks, what title it holds, whether it’s visible or not, and which kind of chart it supports. All this information are as part of our options in the chart tag. Also, chart tag holds your search query which holds the complete query and the time which has been taken from the token. Whenever you see inside an xml a variable enclosed with double dollar, that means it is getting its value from tokens or other dashboards.

  1. Adding Panel by Editing XML

So always keep in mind whenever you see a variable with double dollar enclosed so it is getting a value somewhere else. That is either it can be a filter or it can be a drill down value. So that is with a search tag and this option is part of your chart, all the charting including color, size, scale, logarithmic, x axis, y axis, what it should define and what should be the value of the columns. Everything is defined under this option. There are thousands of options depending on the type of the chart, so you can go through them one by one whenever it is necessary.

Usually you can control most of this or the required number of this from your splunk web that is under select visualization and Format visualization which gives you the same information you’ll be able to customize using xml that should be with our chart options tag. So these many options are set for our column chart. Moving on, we have a drill down tag which shows whether their charting is enabled for drill down or not. If it is enabled to which link it is being redirected as part of the drill down and what value it is carrying on from a drill down exercise.

We know that in edit drill down you will enter form values based on whichever the criteria we choose available in these options. These options are indirectly recorded under xml, so that anytime if you forget what option you have mentioned, either you can check via your edit drill down or you can have it under your xml. Click dot value. This is the value that has been passed from this dashboard to the next dashboard. This contains the drill down information and drill down along with options and the search tag completes our charting tag. The panel includes title, charting, search, drill down options, all this information. So one panel holds multiple information similar to other panels. The next is the row element. One row can have multiple panels or single panel tag. This should mostly cover all the xml edits, including all kinds of tags that we have.

There are multiple rows, there will be multiple row tags. As you can see, we have three rows, that is one containing three panel, the other two containing individual panels. As you can see, one, two, three. Inside this three we have three panel, inside the other two we have two panels. The form is the complete element of an xml which is enclosed under row tag, column tag, field set and panel tags. Let’s say if you want to add new panel, I’ll copy this panel, I’ll copy this entire panel and I’ll add it under another row. I’ll copy from panel to panel.

I’ll minimize this, I’ll add it under second row. So let’s see what happens when we reload our dashboards. So we have added the second panel as part of our second row. This is our first row, this is our second row and I’ll copy the entire xml and go to our dashboards and go to source replace this xml. You can click on Save or for savers that you can click Cost Save as that is xml Edit so that once everything is fine, you can either disable those dashboard or delete those dashboard. Let me go to ui and see my newly created panel as part of my xml Edit. As you can see, we have copied this panel and added it here as part of our second row using xml Edit. Instead of not going to edit panel, add panel, new pie chart all this circus we have directly edited our xml so that we can add our panel directly into the dashboard.

  1. Out Of The Box Dashboards Examples

In order to learn more about visualization in splunk, we need to know more about the dashboards available and the capability of accommodating out of box visualization inside splunk. For that we have an app called splunk Dashboard Examples So which contains lot of inbuilt app and their queries and how you can customize this inbuilt visualization into much more complex visualization we will see in our lab. We have installed this app as part of this discussion we’ll be going through all the visualization and how to include our custom javascript and css into our visualization and also we can choose any of the visualization that are already present and we can use them as part of our dashboards.

So let us go into our lab. This is one of the searches where we have installed Dashboard Examples app. Let’s get inside the app. So this dashboard example app will also be as part of your lab exercise, where this will be automatically installed when you get the access so that you can explore more visualization, probably rerun those search queries, create your own by uploading your data and explore more in our lab environment, which is built on top of Amazon. aws. Here are some of the basic elements. It says this is our splunk dashboard examples that we have installed on our searcher.

So it says these are some of the basic elements that are chart element table, autocrate table, single values, map elements, event viewer like to see the raw events and we can create our own html source. Let us see these dashboards one by one so that next we can move on to our charting element. So we got a slide warning saying we have exceeded concurrent searches but it’s okay, it should be able to load. So these are some of the chart elements that are available as part of this dashboard example. If you want to view the source, you can go to click on Search so that you’ll be able to see the search query that is being populated for this visualization and you’ll always find a short description and the xml content of what this dashboard contains.

So this is actually a good starting point to understand the visualization and what are the possibilities. In splash we will see some more of them table, how to display a table of results and how a single value can be visualized. As we can see, there is a slight text over on top below there is a arrow mark or a small trend line that is going below your chart. Lot of information that can be indicated as part of your visualizations. These all are possible, it’s a matter of customization. These are some of the map elements where you can customize the theme, how it should look and these are the default visualization which are available as part. And if you know a bit of css, you can create your own cuss in order to fill up these colors. These are some of the event weaver like you can display them as raw events, that is as per your log without any added value.

Or you can display them as per tabulated values, showing them what each value contains as part of your logs. And you can create your own text displays using html codes. All you have to do is edit a html element that is html tag input whatever the text you want to display over on dashboard it will be displayed as part of instruction or documentation.

So these are some of the examples. If you go to charting elements, there are a lot more options where you can see stacked up charts, line chart and this is new trellis visualization layout. This is part of only six version. In the previous versions it was not available and we have seen some gauges previously. Chart color Option how to change the colors of the chart as part of previous video.

We have covered like options, tags. One of the options will be your color element which is representing the charts. These are some more tabular columns. These are actually cool where you will get a small visualization warning or clear signal stating the same. As you can see, it has some of the categories split by invalid merchant invalid transactions issuer unavailable lost card Pickup these are a use case which are compared as part of credit card industry.