DashboardS

in Splunk 6.x








by Satoshi Kawasaki
from Splunk Professional Services

Contents

When to use dashboards
Steps 1-2-3 of creating
Simple XML
Tokens
User interactions
Javascript and CSS
SplunkJS
Performance + Tradeoffs
Django and JavascriptSDK

When to use dashboards

Frequently used searches (reports)
Investigation (auditing)
Patterns and trends
(Manual) alerts

STOP! Download these 3 reference apps:

steps 1-2-3 of creating

Step 1. Create a search (hardcode values)
Step 2. Configure visualization
Step 3. "Save As Dashboard Panel"

Simple XML

<dashboard>
<form>
<row>
<chart>, <table>, <event>, <single>, <map>, ...
<option name="...">
<fieldset> (only for <form>)
<input type="text|dropdown|radio|time|checkbox|...">

Know the following attributes well:
<fieldset autoRun="true" submitButton="false">
<input type="..." searchWhenChanged="true">

Tokens

$foo$, $bar$, $my_variable$
Literal string replacement
Can be used (almost) anywhere! Be creative!

index=foo sourcetype=bar host=$host$
$host$: my_server_1|my_server_2|...

... | timechart span=$span$ $metric$($what$) by $group$
$span$: auto|1m|30m|2d|...
$metric$: avg|max|dc|sum|p85|...
$what$: cpu|disk|mem|...
$group$: host|sourcetype|region|user|... 

TOKENS

Doesn't always have to be in the form of foo=$foo$ format

index=foo sourcetype=bar $user$
$user$: user=hobbes3|user!=hobbes3|user=*

<option name="charting.axisY.scale">$y_axis$</option>
$y_axis$: linear|log

May need to surround the token with quotes
index=_internal name="$name$"
$name$: Satoshi Kawasaki|h4x0r-4evar

USer INTERACTIONs

Inputs
Drilldowns
Hiding/showing elements
Modifying visualizations
Popups/Dialogue boxes
Redirects
Anything Javascript!

Javascript and Css

<form script="bar.js, foo.js" stylesheet="my_style.css">

<my_app>/appserver/static/
New files require a restart

Modify elemens and tokens
Custom visualizations
Anything Javascript

Learn how to use (Chrome) Developer Tools

SplunKJS

RequireJS, Backbone.js, jQuery, Underscore.js

web.conf:
[settings]
minify_js = false
minify_css = false

RequireJS:
splunkjs/mvc
splunkjs/mvc/simplexml/ready!

autodiscover.js

SpluNkJS

Tokens
unsubmitted (default) and submitted
URL/perma-linking: foo vs form.foo

How to modify a token with SplunkJS
<input type="text" token="foo"/>

Hide <input> with jQuery
Set the form.foo token, which also sets unsubmitted
Submit the token
Update the URL with form.foo

SplunkJS

<chart id="my_chart_id">
var myChartView = mvc.Components.get("my_chart_id");
myChartView.on("click", function(e) { ... });

var mySearch = SearchManager({ search: "index=foo", id: "my_search" }, { tokens: true });

var service = mvc.createService();
service.oneshotSearch("index=foo", {id: "my_search"}, function(err, results) { ... });

Performance and tradeoffs

Users opening multiple dashboard will create multiple search jobs

Using saved searches for "static" dashboards
Instant load, but delayed and can't use tokens

Create dashboards based off accelerated DMs
Better to use tstats than pivot

Django and JavascriptSDK

Create a page from "scratch" with Django templates


JavascriptSDK
Modify Splunk objects like users, apps, conf files, etc.

Dashboards in Splunk 6.x

By Polkan

Source: hobbes3

Dashboards in Splunk 6.x

  • 1,253

More from Polkan