SPLK-1003 Splunk Enterprise Certified Admin – Splunk Post Installation Activities : Knowledge Objects Part 6

26. Editing Splunk alert and Alerts Actions

So once we have created and if you want to identify where your alerts are located, go to alerts at any moment of time. You can edit these alerts by going to your Alerts tab. As you can see, this is our only alert that has been created. Click on Status, that is the alert name and you can edit this alert any moment of time what actions it should be taken and you can see the search query. By opening in Search, you’ll be able to see the actual search query that the alert condition has been triggered. Similarly, if you don’t want this alert any further, you can go ahead and disable this. As you can see, the present status is enabled. If you don’t want this alert, you can disable this alert.

And if you want to change this from real time to schedule, make sure you run it frequently. Since it’s an error alert or if it is a periodic reporting kind of thing, you can run it through every 1 hour. So that just to have a view on what is happening and it is a less priority event, you can schedule it as running every 1 hour past 15 minutes. That race it will run every hour. At the 15th minute it’s like 115, 215, 315 and so on. If you choose 30 minutes, it will be 132, 30 and so on. So you can choose either that way or even you can choose Cron schedule.

If you are familiar with Cron, let’s say I need to run this alert every 15 minutes. Then I’ll choose star followed by 15 star, star and five star. Make sure you have five values with a space in between them and each represents this is a minute or day, month and year. Let me know if you need more details about the crown. I’ll be able to help you in our discussion section. For now, I’ll cancel this and I’ll keep it as real time alert.

Now, to summarize, we have learned how to create alert, how to share and how to add actions. And each alert can have even multiple actions. Let’s say I have one actions for this alert like send email. I can add one more action to add it to triggered alert. While we are adding the new action, we can choose the priority, whether it should be high or priority low based on our present condition. Similarly, you can add another action to run a script and provide the script name, some dummy script name. Because as of now, we don’t have any scripts that have been created and these scripts should be present in your Search bin. That is your opt splunk ATC Search app under Search Bin Directory Scripts, you are going to place your script sh or script PY if it is Python. And every time this alert is triggered, that script will be invoked to take the next actions.

27. Creating Splunk Reports

From our previous discussion, we know by now how to create an alert in Splunk and what all the different actions can be enabled as part of alerting. And also just to add a note on alerting, there is other addons for Splunk where you can get alerts based on your SMS or a post notification. We will be seeing this when we are discussing more about Splunk mobile app. To continue with our discussion from where we left off in our previous that is creating alert. Now we’ll be seeing how to create a report in Splunk. For creating a report, make sure your specific criteria that has been defined or a use case that has been defined for reporting every day or every week or some specific period of time.

The next step before creating a report is what should be the action and whether it should be sending an email or it should be generated and right to a lookup file or after generating should it execute a script? These kind of actions you need to be aware like what actions after the report has been generated. The next is report acceleration. We’ll be coming to this while we are creating our report to explain more how the acceleration works. The next part is whether if we want to embed our report in any other third party applications, we can see how we can do that and permission for this report visibility as any other object insplant. We’ll see how we can set the permissions for this report and we can also see how we can email this as a PDF or export it as a PDF. Now let us see in our lab how we can set up our report. So is our search head up? Seems like it is up. Have we logged in? Let me refresh. Yes, seems like our Splunk is up and we are logged in successfully.

Let us create a scenario where we need a report. Let’s say since we have our tutorial data, we have lots of visitors for our site, I need top ten visitors or the IP address from where my site has been accessed in the last month. To do that, let us create a query. We know that from our previous discussions that all the access logs are in index is equal to main and source type for my access log is access combined with cookie. This is the name and there is a field in our log. Let me show it, it will be in last 30 days. There is a field called Client IP which represents the IP of the end customers or the visitors who is accessing my site. I’ll just write a simple query to get their information. That is top client IP.

These are the report let us say or this is the report that was requested to be sent or generated every month as part of this use case. So here we are generating top client IP for every month that is in the last 30 days this was the most visited user or the IP address for our site. If you want more information, we can enrich this by adding some geographical location. I’ll say get the geolocation that is using IP Location Command for this client IP and add some more information country, city and region of this so that we have more information in our report. And it’s also better understandable this IP, which is from UK, is the most visited in the last 30 days, followed by China and the United States and so on. We can consider this was the most active user on our side. So I need a report for every month on the beginning of the month. Let’s see how we can create that.

28. Splunk Report Scheduling and Accelerating Reports

So we have finalized our query go to Save as report and here you can select some title, let us say active users in a month and description for last 30 days we’ll select a time range because when we are scheduling this, this will become useful. If you want to change our time period, I’ve saved the report successfully. Your report has been created and you can change many parameters or the features of this report. Before that we’ll click view so that all our reports will be under Reports tab. Now this is our newly created report. Let’s explore some of the options.

At present we have a statistics view of the report. If you want we can change it to some other view, but for simplicity let us leave as it is and see other features. This is the report that we have created. We’ll see we can open in search, we know the query by now and if you want to modify the description, you can modify Edit permission. We’ll make it global and editable only by admin and power user. And we’ll schedule this to run every month on the first day at probably early morning 09:00. This will make sure every month it runs on the first day of the new month, that is around 09:00 in the morning.

And if you want to set time range to previous month we can set as it is or we can leave as per last 30 days. Let us make this is our highest priority and if you want to schedule a window, let’s say I have a window of five to ten minutes for this execution it doesn’t want to execute exactly around 09:00. It can run either at nine, five or 855. You can choose this five minute window so that this will be executed around that time. We’ll click on next then you’ll get an option that is your email action. If you click on email. This is similar to what we have seen in our alerting to followed by subject message description and if you want to attach it as a PDF or an inline results let us attach it as a PDF and you can give your email ID so that these reports will be sent to your email. And you can also run a script so that the necessary actions will be taken. Since it is a report and it is mostly of information as it is, we can write this results to a CSV file.

As of now even this is not necessary, but in some cases it might be necessary to write it to CSV file so that you can use it at a later stage. I’ll click on save. Once this has saved you will not be able to see these results because it says this scheduled report runs only on monthly basis on particular date its time ranges last 30 days. It gives you a brief description of what it does. So until it has been run you will not be able to see the results. That is our scheduling part, the next part is acceleration. What is acceleration? Acceleration can be best defined as a pre run report or dashboard. In future, we’ll be seeing the dashboard acceleration, also acceleration, something like pre run, so that before loading this dashboard on the background, splunk will be consistently running the searches on new data, and it will be accelerating your searches so that whenever you open this reporter dashboard, you will get the latest information.

And it says, when we enable acceleration of a report, it says, what should be the range we’ll give it last three months? So this three months of data will be stored on your search ad so that whenever you can summarize your data for last three months or you want to fetch this report for last three months of data, we’ll be get it in a faster manner rather than searching for the whole index for last three months. So that is with acceleration.

29. Embeding Reports in External Applications

The next option is disable. If we don’t want this alert anymore or report anymore, we can disable them. If you want to clone and edit a new report, we can clone the report and the final option is Embed option. If we want to Embed, the first condition is the search should be scheduled. Since it is a monthly report for testing our Embed option, let us make it more frequent. I’ll schedule it to run based on Cron schedule to run every two minutes so that we can schedule or we can test our Embedding features for our report. So I’ll just make sure everything is specified. I don’t need an email, I just need this report to be run. Save. Okay, I need to disable my embedded feature.

It has already been enabled. I’ll disable this. It has been disabled. I’ll edit the schedule now. Chrome based run for every two minutes. As I said, if you are new to Cron, just let me know in the discussion. I’ll be able to assist you more on the Cron syntax. This is nothing but to run this report every two minutes, which makes no sense, but it will be helpful in demonstrating our embedded features in Splunk. Now we are scheduled to run for every two minutes. Let us enable our Embedding feature, copy this URL or the Iframe, whichever it is being displayed in this window. Make sure you are copied, go to reports and once it has run we’ll be able to test this. So the next schedule is around two minutes time. So do we have our URL?

Yes we do. This is the URL I used for testing Iframes where you can basically copy paste this Iframe that we got from our Splunk embedding. And if you click on Run you’ll be able to see the display that is our Splunk output. So probably it is saying the scheduled report has not yet run. So we’ll wait for this probably another minute and we’ll be able to see how we’ll be able to get a result of Splunk and visualization of Splunk. In any third party application, this represents an Embedding feature. Let’s say you have your own monitoring application or intelligence applications where you need to fetch the visualization part and you can demonstrate or you can present it in the Splunk itself.

This reports can be visualization also it can be used for getting the search results. And you can also API your Splunk server to fetch the results and get the values so that you can make use of them as part of your application. It’s not yet completed. Once the search has been run, the execution time as you can see, change it from eleven six to eleven eight. Now let us rerun our Iframe so that we should be able to see the results. Now as you can see, we have got our top results for the visitors. Whichever we have defined in our report, active users in a month, we got the same results. This way you can embed it in any of the applications by providing just this frame tag as part of your application. This is the same results that has been displayed over here.

30. Creating Dashboards in Splunk

In our previous modules we have learned more about report creation and also alert creation. Now we’ll move on to one of the most important and widely used knowledge object that is our dashboards, which is the most common thing in our Splunk that is used independent of our industry. That Splunk has been implemented because final output is always a dashboard or a report or an alert. But dashboard will give you brief picture and also great visualization compared to reports and alerts. So in this example we’ll go ahead and see how we can create a dashboard and add multiple panels to the dashboard and different ways in which we can add our panels to our dashboard and also how we can view or edit our dashboard sources. That is the source code for your dashboard and scheduling a dashboard similar to that of scheduling a report. Accelerating Dashboard.

It is also similar to your accelerating a report and how to export a dashboard as a PDF and how to share this dashboard with other users. Now let us get into our lab and identify how we can achieve all this. This is our searcher. Let me confirm 52 to 36. Yes. So this is our searcher. By now we all know I’m searching for index, equal domain and the access log which is our web server logs of our tutorial data. Now let us create a dashboard for a demonstration purpose and add a couple of panels so that the visualization is effective. The first scenario or the first case where I need to see the complete user details or number of visitors for my dashboard and how they are visiting, which countries and where they are from. We will grab onto a couple of use cases as we proceed on creating some of the dashboards. From the use case that we created.

We’ll add our top Clayton type piece based on country, region and city that we have created in our report. I’ll use the same panel but this time we’ll be adding it to our dashboard. We got our first panel. I’ll add it as part of my dashboard. To add it as part of dashboard click save as that is dashboard panel. We will be creating a new dashboard. I will give it a name demo so that this is just as part of our learning. This will be top visiting IP addresses in the last 30 days. I’ll share this with app so that anybody using this app will be able to see this.

The panels or the dashboards that we are going to create. This will be as part of panel title. This will be our demonstration dashboard. This is a dashboard description. We’ll keep it as statistics table. Make sure whenever you are saying dashboard if you want chart, we’ll see how to in our next panel. We’ll save this as a chart. We’ll see how we can do that. But now we will be adding a statistics table. As you can save. We’ll get this quick menu to view the dashboard. I’ll open this in separate tab and we’ll come back to that later. So now we have this. I need a graphical representation. We have too many fields here, so it might not look good on a pie chart. We’ll add it. Only the IP address share so that our pie chart looks much better. I’ll add a pie chart to our simply existing dashboard by clicking on existing. This is the newly created dashboard demo and Pyexample.

31. Adding Panels to Dashboards And adding Panel from Report

I’ll add same data with one more visualization. That will be our bar chart or column chart. I’ll go to save as Dashboard panel existing. Choose the dashboard you are editing and I’ll add column chart example and as you can see, let me add one more, that is bar chart. Go to I’m just changing this format field and I’m choosing different visualization and I’m using the same link save as Dashboard panel existing and this will be my bar chart example. There is the option. Panel content will be either Statistics or bar chart. We have already added statistics so we’ll add bar chart. So now let us go and view our dashboard. In order to view the dashboard you can click on Dashboards and you’ll find your dashboard here. If you have lot money dashboard, you can just type your dashboard name so that it pops up. Choose the dashboard which you have created. Once the dashboard loads, you should be able to see all the different panels which we have added.

As you can see here one, we have added a statistics pie chart, column chart and a bar chart. Let me try to rearrange this panel. To rearrange any panel in a dashboard, go to top right corner edit and as you can see the edit changes your UI how the dashboard was looking and gives you an option to move these panels as you can rearrange them at your own will. So I want on top three and charts on three and below I’ll move my statistics. I’ll click on save. So as you can see now all my charts have been represented on top and I have rearranged my statistics below to give me complete picture. So this is one of the ways where you can add panels. Let’s say I need to add a panel to this dashboard. I’ll copy the same query in order to know more about dashboards. We’ll see how we can create other use cases, probably as part of another lecture. But here we’ll see what all other ways we have for adding a panel.

I’ll click on edit. Again, there is an option here called Add Panel. As you can see, I’ll click that you will get a new menu where you can choose any report that we have already created. As you can see from our previous tutorials, we have created a report Active User Cinema. We can choose that, but we’ll create a new panel, that is, we’ll create statistics. Table we’ll give the panel title as Panel added from Dashboard Edit. This is an edit function where you can add a panel choosing which type of visualization you need. And if you already have a report or a dashboard, you can clone from those dashboards or you can add from your existing reports. If you want new, you can click on the specific visualization and add those created by our dashboard edit function.

 I’ll choose a timeframe of last 30 days. I’ll click on add to dashboard. As soon as you click, the dashboard starts loading up. So as you can see, this is our panel created by dashboard edit function. Click on save should be able to see our newly added dashboard sorry, newly added panel to our dashboard from this edit function there are two ways. One is via search bar where you can save and save it as a dashboard panel. The second is using your edit function. Using this edit function, you can also add a report into the dashboard existing dashboards, you can clone them and existing scheduled reports, you can add them as your panels. These are some of the scheduled reports where you can schedule them to run at specific time and can load onto your dashboard.