Table of Contents
- Preface
- Framework
- Definition
- Making a Plan
- Prototypes
- Troubleshooting
- Dashboard
- Visual and Source Editor
- Layout
- Visualizations
- Drilldown
- Backgrounds
- Dynamic Coloring
- Dynamic Coloring: Tables
- Dynamic Coloring: Single Value
- Debrief
1. Preface
I only made this blog in order to provide common Q&A information to anyone interested in using Splunk. It is also great as a reference. Please visit Splunk for the official learning courses
Splunk Q&A Study Guide
2. Framework
Splunk provides two frameworks for creating dashboards: the classic dashboard and dashboard studio
- Classic Dashboard
-Source code: simple XML
-Layout: row and column
- Dashboard Studio
-Source code: JSON
-Layouts: absolute and grid
-Layering visualizations
-More visualizations: images, icons, shapes, and text boxes
Both frameworks provide a graphical editor and a source code editor, both provide visualization which are driven by searches,
But some visualizations are only available in the classic dashboard while other visualizations are only available in the Dashboard Studio framework, the layouts are also different, the classic dashboard has a row and column layout while dashboard studio provides two different layouts: an absolute layout and a grid layout
Dashboard Studio uses a JSON source code while the classic dashboard uses an XML — based source code, Dashboard Studio allows for visualizations to be layered on top of each other, some of the visualizations that are not available in the Classic Dashboard but are available in Dashboard Studio are icons, shapes and text boxes
The new Dashboard Studio framework is undergoing changes, currently there are two types of visualizations you can see in the source code Visualizations with the “splunk” prefix and visualizations that have the “viz” prefix, eventually all visualizations will migrate to the Splunk prefix, this is important because how you encode options is slightly different
Dashboards are also known as views are scoped to your application context, they exist in the application they were created in, however there is a view management screen that allows you to actually change various attributes of the dashboard or view such as moving them to different application contexts, deleting them, making copies of them, and opening them up and sharing them
- scoped to your app context
- open, clone, move, delete
- set sharing permissions
if you have a view you need to migrate from one application to another find it in the view management screen in settings, select the application in which the particular dashboard or view exists set the owner to yourself and then you have the option to either open the dashboard make a copy of it, move it to another application context, or delete the dashboard altogether
dashboard studio right now is incorporated into both Splunk Enterprise and Splunk Cloud, Originally is was a standalone application you would download from Splunkbase called the Dashboard Studio Beta, if you have both the Dashboard Studio Beta versions of dashboards and your version of Splunk also has the now automatically-installed version of Dashboard Studio you’ll want to migrate those Dashboard Studio Beta dashboards out of the Dashboard Studio application and into some other application like maybe the Search & Reporting application, if your dashboard has any custom visualizations or images you’ll also want to make sure that you upload those images and visualization into the new application context,
Converting a Dashboard, Splunk provides a mechanism for converting classic dashboards into Dashboard Studio, not all classic dashboards will successfully convert into Dashboard Studio, elements of a classic dashboard attempted to convert into Dashboard Studio dashboard that aren’t successful will be indicated in the dashboard itself, the conversion process does not make any changes to the classic dashboard but rather copies the dashboard into a new dashboard and converts that copy into the new dashboard framework
it will convert the XML code into the corresponding JSON code and map any visualization from the classic dashboard into the corresponding visualizations in the new dashboard framework
to convert a dashboard that’s created in the classic framework, open the classic framework dashboard up then click the ellipses and choose “Clone in Dashboard Studio, when it does this it’ll convert this into the Absolute layout, right now for conversion the only support layout is Absolute, notice it gives a different name and a different internal ID, change the title to match conversion type and save to convert the classic dashboard into a clone that is using the new dashboard framework with JSON based source code, the original dashboard will go untouched with the XML source code still in it
3. Definition
when a dashboard is created the underlying JSON formatted dashboard definition is automatically generated, this definition includes five sections: data source visualization, defaults, inputs, and layout, as well as the dashboard’s description and title,
the order of these sections will change depending on how the dashboard was originally created, for example a dashboard created from a search will begin with the dataSources section, which contains the search queries along with options for those queries and the dashboard’s unique ID and type,
if a dashboard is created from the dashboards page its definition will begin with the visualizations section with contains the visualization, unique ID the visualization type, data sources, and related options,
global defaults for the dashboard are contained in the defaults section,
the input section contains a unique ID and input stanzas for any input in the dashboard while the layout section contains a list of those inputs as well as canvas size and position and size information for the visualizations
Stanzas are contained within each of these sections which contain further defining information for visualizations, data sources, inputs, and their related setting, JSON formatting contains a series of required characters, commas are required at the end of the line after each entry and stanza except for the last one, double quotes are required for strings, double quotes are required for strings but not for boolean values or numbers, the order of stanzas is unimportant and will not cause any JSON errors, case sensitivity is required for all objects so be sure to preserve it when editing any JSON
4. Making a Plan
making a plan is a key step in dashboard creation, you must consult your team before not only during development but also before you begin, many operations in Splunk such as configuring permissions and uploading files will requires an administrator, custom stylesheets and interactivity may require you to call upon a javascript developer or UX designer, security experts can ensure that the dashboard complies with any security requirements, and your end business users can help you understand how the data is used day to day, stakeholders can help determine the complexity needed for dashboards by answering questions such as:
- who are your end users and what is their skill level?
- what metrics are critical to their individual roles?
- what is the time span for your data and how frequently should it be refreshed?
- what types of visualizations will be required and how will they be laid out
having a plan with your stakeholders before you begin allows you to design a wireframe that will serve as your guide for the data you need how users will navigate that data and how it will be displayed
5. Prototypes
the planning stage of building a dashboard starts with the stakeholders identifying key metrics and timeframes, an important part of the planning stage is sketching out a wireframe what you want to see in the final output, think about the panels you’ll need the types of visualizations that may best suit your data the data you want behind them and how they should be arranged, build a prototype of your dashboard in Splunk using basic searched selecting visualizations and arranging panels to align with your wireframe, next step is to add interactivity by adding buttons and form inputs
consider the ways you want to allow users to manipulate your data and types of inputs that are best suited to those needs, planning which types of inputs you’ll need at this stage helps you to know how to set tokens in future stages
at this put get your stakeholders input again and review everyone’s individual input make sure those needs have been met and get everyone’s sign off before you continue and once the stakeholders are happy with the prototype it’s time to focus on how to improve the performance,
then make sure the searches are as efficient as possible to ensure out tokens are correctly passing variables and accelerate reports and data models,
6. Troubleshooting
the most important step when trying to diagnose a dashboard issue is to go to the source, if a panel is powered by an inline search copy the search string and run it manually to make sure you’re getting the data expected, if your search string uses macros or event types remember that those are powered by their own underlying searches,
if you’ve double checked the rest of your search string and can’t find the problem isolate the searched and ensure that they are working as expected, if you’re having problems with a newly created visualization sometimes it helps to retrace your steps, you can review your search history at the bottom of the search summary view, you can also use the history command to retrieve your previous searches stored as events,
if you have a panel powered by a report view the report to ensure it’s functioning properly, make sure to take the note of schedule and acceleration settings, if a dashboard uses token input it is important to make sure those tokens are functioning as expected,
the search job inspector allows you to see what is happening behind the scenes of a search, once the search is completed you can see how many results the search has returned, how many events were scanned, and how long the the search took to execute, you can troubleshoot how a search is processed through debug messages and examining the impact of knowledge objects,
7. Dashboard
there are a couple of ways to create a dashboard, one way is to create a dashboard from a search, you run your search get results, and then you can save that as a dashboard,
under Save As choose new dashboard, name the dashboard and it will autofill the ID of the dashboard and is able to be edited, give an optional description, with the appropriate privileges you can have the dashboard set to private or public that is shared among other users, choose between classic dashboard or dashboard studio, when choosing dashboard studio there are additional layout options to use either an absolute layout or a grid layout, optionally with the grid layout can specify a title for the panel, create and save the dashboard then given the options to view the dashboard in which case now in the dashboard studio, you see a global time range picker and the visualization from the search, going into edit mode you can see other aspects of the dashboard behind the scenes, you can see the various visualizations charting visualizations and have some inputs, visualization information from the type, various aspects, including the search that is driving this visualization as well as the search up in the menu item,
highlighting the visualization again you can actually examine a little bit of the underlying JSON code for this visualization, however also have the ability to look at the source code in its entirety, to look at the source code in its entirety, the dataSources at the beginning followed by visualizations followed by inputs and then our general layout followed by our default section,
you can also created a dashboard from a webpage, in the dashboards tab in the application menu, create new dashboard button and fill out the dialog everything else is the same except this time choose Absolute layout which will have the ability to give the name to a panel that gets created missing, create automatically sends you to the edit view mode since there is not visualization yet, actual size is a set size and fit to width allows to adjust the size the size of the browser, are able to specify a background color and image, for grid you have charts and visualizations, icons, shapes, images, text, you can give the visualization a human-friendly name and a specific search SPL for the visualization then run and save to have it appear in the visualization, to bring up the search configuration click the pencil next to the search that you want to edit and going to go down to the code to see the JSON snippet as well as its identifier and change the identifier in order to hone in on the desired search for the identifier in the dataSource section as well as to any visualization that references that search, you can edit visualized ID in the code in edit right side scroll bar
8. Visual and Source Editor
Dashboard Studio
syntax errors can be seen in the code and will be marked with a red underline
9. Layout
have to add submit button for global time range through GUI editor, weird. what other options and you make using the GUI editor? spelling is important or it will not work to include capitalization
10. Visualizations
when you add a visualization to your dashboard corresponding JSON code gets added,
layering option appears after creating 3 or more dashboards, alignment is also available
11. Drilldown
Drilldowns adds extra interactivity to your dashboards by opening them in a new tab or overlay on the current webpage
12. Backgrounds
can be customized with a designated color or image
13. Dynamic Coloring
row background and header background can all be changed in the code snippet with color hue values, use google for exact format and color codes
viz will be replaced with Splunk in future versions
is limited to 7 colors in the GUI but more are available using the code snippet, have to assign a field to the shape in order to protect the accuracy of the results
14. Dynamic Coloring: Tables
can be used with tables to change the color of text, cells, or columns,
you can swap field columns with other columns through the code editor
here you have the colorized product_name based on the values of the revenue demonstrating there are many more things you can do with the source editor than the GUI
15. Dynamic Coloring: Single Value
16. Debrief
I hoped this helped answer some general starter questions for anyone just learning Splunk. I really enjoyed doing and this and will be making more notes in the future.
