SPLK-1003 Splunk Enterprise Certified Admin – Splunk Inbuilt & Advanced Visualizations Part 4

13. Rest of the default Visualtization in Splunk

Go back to select Visualization next to your search icon and choose Filter Gauge. As you can see we have a limit which was set as part of our radial gauge from zero to 400, so it is up to in our appreciable range of blue. We can change the colors in a similar fashion where you can choose form at visualization color ranges and choose whichever colors you would like. This should be able to give you a filter range in case if you want to change this range, you can set this range. If you want to delete a range, you can delete a range. As you can see the visualization changes as per your customization. So that is our filter gauge. Now let us see our marker gauge. The marker gauge somewhat similar to filter gauge but it has a marker that continuously moves along with your event value. We have close to 10 5000 events so it is in between 80 and 120. So it gives us some visualization which can be used in some of the use cases depending upon the criteria.

These are some of the three gauges which can be as part of your single value visualization. So this single value visualization let’s say I need to change the colors behind the background or I can change color of the value. Go to Visualization sorry format visualization color option where you can set your color options based on whichever is required. Say zero to 100K it should be green, 100 to 200K should be orange. As you can see in the background the color has already changed so anything greater than that is red. In case if you want to just change the text color, select the color mode below your format visualization which should change the colors accordingly.

This is how you visualize a radial filter or a marker gauge. Now in the same edit mode, let us see some more examples. That is for bar chart, column chart or pie chart. As you can see this is a bar chart where the visualization are represented with the help of x and y axis. If I want to convert this as a column chart, select Visualization. Choose the bar chart option. So as you can see the same values are represented on different axes. Similarly, if I want this to be a pie chart you can select it pie chart so that the visualization suits whichever selected by the user for the same data. So these are some of the visualization and some of the rarely used visualization which adds more value depending on the scenario where you are using it. This is a scattered chart where it displays the count with respect to the status quo. There are more number of 200 which shows our environment is in good health and we see a lot of 404 and 40 one which are a sign of concern.

As you can see the concern is a little bit lesser compared to our environment health which seems to be okay and acceptable limits. This is typical representation of a bubble chart where all the values are represented by the size of the bubble represents the quantity and the position of the bubble also represents the value how differ it from the least available values. The next visualization in our discussion is line and area chart. As you can see these are some of the statistics for our tutorial data. Since our tutorial data is not continuous, we are the events just on July 9 to July 15. From starting from July 8 we have one week of data, after that there is nothing else. So in case if you are expecting an outage or investigating on an outage situation they should be able to give you a clear picture what all the services were up or down.

So you can choose a line chart to better represent the downtime window. In this scenario you can change the line graph to area by choosing the select visualization option. So these are like synonyms you can use whichever comfortable or whichever you feel like adds more value to the current situation. Similarly, we have one more chart that is Scatter. This is similar to your bar or column chart where the only representation is by scattering the values just at one place. That is even though all the values exist for that time but it has been scattered based on the quantity rather than representation of full line. The next one is geolocation, which has been used widely for locating the visitors or troublesome IPS or a threat IP attack sources, advertisement campaigns and the user base. This can be used in many scenarios depending upon the use case you are working on. So for this the only requirement is you need to have the geolocation information as part of your logs, that is latitude and longitude information as part of field logs or in public IP address which can resolve into latitude and longitude information. So these are some of the inbuilt visualization which are as part of Splunk. In our more advanced tutorials we will see how we can add our own custom visualization like a traffic flow or a user journey behavior, how these kind of graphs with continuous flow can be added and much more customization can be done as part of dashboards in our further discussions.

14. Editing XML for Dashboards

In this video we will be seeing how to edit a dashboard using XML or dashboard source. In order to edit a dashboard using XML or creating a panel using XML, we need to understand couple of elements which are required for editing a dashboard. Those will be row elements and how tokens are used inside a dashboard. What are panel elements? And each panel element will have multiple option elements. We’ll see them all these elements as part of our editing XML. For the demonstration, we’ll be looking at one of the dashboards that we have created as part of our previous videos. I’ll go to dashboards on our searcher. I’ll click on demo.

That is the previous dashboards that we have created as part of our initial dashboard understanding video. So as you can see, there are multiple panels, multiple filters, and there are a lot of tokens usage in this dashboard. So this will be a best fit for understanding how to edit an XML. Let me get into edit mode of my dashboard. I’ll go to source of this dashboard. This is how a typical XML looks. Let me copy this where I can minimize based on the tags. As you can see, this is how the XML we have. So we have a form tag which encloses everything inside the dashboard. That is our parent tag. There is a field set. This is for your submit button. It does nothing but resubmits. Whenever there is a change in value of these fields, I’ve edited some field and if I click on submit it reloads. So this is how these fields or the submit field set tag works. This is our submit button. Similarly, this is our time enclosed under input tag. As you can see, we have one for time, one for text box and one for drop down. So we have three tags that are XML starting with input.

These holes are filters. Once the filters are set, it is enclosed under field set which includes our submit button. So that any change in these inputs and click on submit the entire dashboard reloads. So the next element in our XML is the row element. The row element is nothing, but this is the row element. This represents these three panels are in a single row. We’ll be able to see inside a row element. There will be multiple panel. So this is our first panel. That is column chart example. As you can see, this is the title. This is the panel title. This is the title of our first panel and query is the tab where it will hold the complete query that has been used to generate this visualization or statistics. In our first row, we have three panel tags. One, two and three.

So these are the three panels which are enclosed as part of our row tag. We will see one panel which holds title and the chart tag is the one which is representing what color it looks and how the scaling is defined, whether it’s linear or it’s logarithmic scale, and how these fields are displayed. In XML you will get more editing options which are less visible for a plain side and you’ll be able to see all these options as part of your XML editing where you can overwrite all this configuration. Let’s go back to our XML. Yes. As you can see these options of a chart tag. These options represent how the x axis looks, how the y axis looks, what title it holds, whether it’s visible or not, and which kind of chart it supports. All this information are as part of our options in the chart tag. Also, chart tag holds your search query which holds the complete query and the time which has been taken from the token. Whenever you see inside an XML a variable enclosed with double dollar, that means it is getting its value from tokens or other dashboards.

15. Adding Panel by Editing XML

So always keep in mind whenever you see a variable with double dollar enclosed, so it is getting a value somewhere else. That is either it can be a filter or it can be a drill down value. So that is with our search tag. And this option is part of your chart, all the charting including color, size, linear scale, logarithmic, x axis, y axis, what it should define and what should be the value of the columns. Everything is defined under this option. There are thousands of options depending on the type of the chart, so you can go through them one by one whenever it is necessary. Usually you can control most of this or the required number of this from your splunk web that is under select Visualization and Format Visualization which gives you the same information you’ll be able to customize using XML that should be with our chart options tag. So these many options are set for our column chart.

Moving on, we have a drill down tag which shows whether their charting is enabled for drill down or not. If it is enabled to which link it is being redirected as part of the drill down and what value it is carrying on from a drill down exercise. We know that in edit drill down you will enter form values based on whichever the criteria we choose available in these options. These options are indirectly recorded under XML, so that anytime if you forget what option you have mentioned, either you can check via your edit drill down or you can have it under your XML. Click dot value. This is the value that is being passed from this dashboard to the next dashboard. This contains the drill down information and drill down along with options and the search tag completes our charting tag. The panel includes title, charting, search, drill down options, all this information. So one panel holds multiple information similar to other panels. The next is the row element.

One row can have multiple panels or single panel tag. This should mostly cover all the XML edits, including all kinds of tags that we have. There are multiple rows, there will be multiple row tags. As you can see, we have three rows, that is one containing three panel, the other two containing individual panels. As you can see, one, two, three. Inside this three we have three panel, inside the other two we have two panels. The form is the complete element of an XML which is enclosed under row tag, column tag, field set and panel tags. Let’s say if you want to add new panel, I’ll copy this panel, I’ll copy this entire panel and I’ll add it under another row. I’ll copy from panel to panel. I’ll minimize this, I’ll add it under second row.

So let’s see what happens when we reload our dashboards. So we have added the second panel as part of our second row. This is our first row, this is our second row and I’ll copy the entire XML and go to our dashboards and go to source replace this XML. You can click on Save or for Saver said you can click Save as that is XML Edit so that once everything is fine, you can either disable those dashboard or delete those dashboard. Let me go to UI and see my newly created panel as part of my XML Edit. As you can see, we have copied this panel and added it here as part of our second row using XML Edit. Instead of not going to edit panel, add panel, new pie chart all this circus we have directly edited our XML so that we can add our panel directly into the dashboard.