SPLK-1003 Splunk Enterprise Certified Admin – Splunk Inbuilt & Advanced Visualizations

1. Editing Dashboard Using Source

We have seen how to add this multiple panels into our Dashboard by various methods like using search bar and also using panel created by Dashboard Edit. Now you can also edit panel by editing the source. When I say source, the Dashboard source is always an XML file. If you want to view the source source or how Splunk is able to interpret these panels and the reports, dashboards and stuff, you can go here, click on Edit. As you can see, next to that there is a UI and Source option. If you click on Source, you’ll be able to see the complete XML rendering of your Dashboard which holds the complete information of which panel and what is the colors that have been used and what is the scale that have been used to display the results. Whether it’s linear scale or logarithmic scale, much more information that is available on the UI. It has more granular information on the source level, so it even contains your query, title, description, almost whatever the information that is required to render the Dashboard as a visualization, this is more important.

And also you can copy a panel here and you can add new panel based on this panel tag. And each panel will have title for all this Dashboard. The parent tag is the Dashboard followed by the row. In first row we see there are three panels. So all these three panels are inside this row element. Similar way, if you are familiar with XML, each tag represents specific information that is holding for this UI to be presented. There is one more way similar to editing configuration file. We can change the visualization of the Dashboard using your source. So just to be aware, have a look into your XML files of the created Dashboard. You’ll be able to understand in much detail what all options are required for creating a visualization in Splunk, including panels, rows and column elements.

We have created this dashboard. Let’s say I need to export this as a PDF. If you want to export a Dashboard, click on this link export in Scheduling and Exporting. The both options are only available for PDF. The print option will directly give you like the page printout, the complete page of your visualization screen. In Splunk you can print the same. If you go to export PDF, we’ll first look at export PDF. In export PDF. It generates a PDF in your browser which you can download once the PDF has been generated. Our PDF has been downloaded here, let me open it up. So as you can see, the PDF viewing part is one of the difficult part in Splunk, where the actual visualization you look in Splunk here is different, but when you export it, as you can see, each panel has been broken down into single elements.

This is how you export it as a PDF and probably from here on you can send it via email or any other means to the people whom you are willing to share this dashboard. One more way is to schedule it as a PDF delivery. Let’s say we need this report like every month, first day of the month, early morning, as soon as I visit the office. So we schedule it to run every month on the first day of the month around 09:00 in the morning, we enter the email and if you want CC and BC copies, make sure you mention them. You can leave probably all this default. It will pick it up from this information that is demo on demonstration dashboard Description whatever the description you mentioned here, it will be pulled into your email subject and message description here.

When you choose the paper size, you can set the paper size to a four letter or any other paper size you wish and you will get a chance to preview the PDF. So once you click on Preview the PDF, it will generate temporarily a PDF file to show the formatting of the selected A four or other paper sizes in order to see how your results have been placed. As you can see, this is the A four version of your dashboard. Similarly, if I choose Letter and Preview the PDF, you’ll get a letter size preview of your dashboard and you can send a test mail to verify whether everything is working fine. So these are two options and then go ahead and click on Save so that once on every month, first day of your beginning of the month around 09:00, this dashboard will be delivered to your email. So these are some of the dashboard functionalities that you will be doing as per your day to day activities. In our next tutorials, we’ll be seeing how to enhance this dashboard. This is a plain and simple dashboard which should look good as of now, but as we see further, we’ll be able to create much interactive dashboards which will add great value.

2. Dashboard Filters: Time Range

We have created this dashboard as part of our previous tutorials. Now let us see how we can enhance this dashboard by creating additional filters and drill down options of this dashboards. The components or the configuration that we will be going through. In this module is created editing filters and how to edit filters using XML Editing and how the Token usage that is passing of arguments from your form to your dashboard panels, how this has been working in splunk and how to pass this values from your text field or drop down or even your submit button into your panels by using Tokens. So we’ll be creating a couple of filters that are time based text box. That is you can enter whatever the text you need and the dashboard will filter the results based on this text box. Similarly, a drop down and a checkbox. We’ll see how we can do this in our lab exercise.

As part of our lab exercise, we’ll be using the same dashboard that we have created earlier. Now let us say this dashboard looks fine, but every time I reload this, as we can see it loads for only last 30 days. All the panels have different times. So I need to make sure all these dashboards are reflecting same time frame or specifically different time frame. Let us see how we can do that. Our first filter will be adding a time filter. To add a time filter, click on Edit. As you can see there is an Add input. Right next to add panel. I’ll click on Add input. There is a time option. Choose it. So here there is an edit feature with a pencil or a pen indication. I’ll click on that, I’ll give it a label stating Select Time. As you can see, I’ve edited a label just like a display for a panel which says Select Time.

There is an option which to choose Search on Change. If we choose this, as soon as we edit this time frame, the dashboard automatically reloads. So we’ll uncheck this as of now and I’ll give a token value called as Time. This token is nothing but a variable that holds this information by default. I’ll keep it for last 30 days. So this is the default value that whenever a dashboard loads, it will run for last 30 days. Click on Apply and let me add a submit button. So that indicating we have selected the field that we require. And once you click Submit, the dashboard reloads. There is no need for submit. If we choose Search on Change that says whenever this input has been changed or this variable has been changed, the dashboard should automatically reload. But for now we’ll keep this unchecked and we’ll add our submit button to indicate our finalized selection.

Let me click on save. So I’ve added an input. But even though after I change the time, I’m not seeing any of the dashboard refreshing. Even after clicking there is no dashboard refresh happening because we have just added an input here. But we are not passing these values into the panels. In order to pass those panels, go to Edit mode. Again, you have this search icon here. Select this. As you can see here, it says Time Range Picker. So this option, we will select it to share Time picker and our token name. That is small caps time. So we’ll choose this. Click on apply. As you can see, for now, it didn’t find any results. Let us change it for last 30 days. Submit as you can see, the dashboard automatically reloads as soon as we click submit. Every time we change a value in the time field, it automatically reloads our panel. Let me do the same thing for other panels.

3. Dashboard Filters: Text Box

Edit search option. Time Range Picker is our shared token that we have just created. So you can make this. This is one way to edit the input. The second way is you can go to Source where you can see here there is a tag added earliest, time dot Earliest and Time dot Latest which represents your token value time that has been defined here. That is last 30 days by default and the token name is Time. So this token is getting passed in this tag. That is time earliest and time dot latest. We have edited three panels. As you can see, this is the second panel time dot Latest. Similarly, the third panel time dot latest and earliest. I’ll copy these two lines and I’ll paste this as part of our other two panels that are existing. As you can see, Earliest and Latest are hard coded for last 30 days.

I’ll change it to use as a token. Let me save this. So as you can see now all the dashboard panels are refreshed after saving. Let me change this for previous month submit, all five panels in our dashboards have been reloaded. This confirms that whatever the values that we change here will be applicable to all these sources or our panels. This is by adding a time filter. Now let us add another filter. Let’s say we have a text box. To add text box, click on Add Input and select text. LC source IP or you can give a clear description enter Source IP. So here also there is an option. As soon as you change the Source IP, these panels will be refreshed. We’ll keep this checked in order to see which changes. So that if you check this before clicking on Submit, you can just hit your Enter key so that automatically the dashboards will be reloaded. I’ll give this token name as SRC or you can name it whatever the token value you need. By default, I’ll keep it star so that whenever my dashboard reloads or whenever my dashboard is open, it should contain a star value. I’ll click on apply.

As you can see, by default it will have a star value defined here and the label of Enter Source IP. Let me save this. Now we have our next filter. That is a text box. I’ll copy one of the Source IP or the client IP here and I’ll enter here and click on Submit. As you see, nothing changes even if I hit Enter, because this token is not being accepted by any of this panel as of now. So what will we do? We’ll take this token. The token name is Source. Go to your search function again. Before charting function, make sure this is the field name which you are searching for and the token you are passing should be enclosed within a dollar symbol. So that take the value from the text box and put it in your search. You’ll see how it works. Click on apply. As you can see our dashboard or the panel refreshed here. Let me click on Save and open this search again. I’ve clicked on Save now as you can see since there is a source IP mentioned here, it is showing only statistics for related to those source.

I’ll open this you’ll be able to see the search with the argument that we passed as part of our text box. So whatever we enter here it will be replaced in a search query under the token source that is represented by Dollar source and Dollar our search has loaded. As you can see, this is the text client IP is equal to and this is the text box value that we passed as part of our filter to this panel. So let me quickly grab the same thing that is client type is equal to Dollar source dollar and I’ll apply it to other panels so that all the panels will be reflecting only the source that we enter as part of our filtering.

4. Dashboard Filters: Dropdown

Apply and save this. You can also do it by editing XML. If you find this as difficult, you can click on Edit, choose Source to Edit and here you can directly copy paste your search query on each panel wherever it is applicable. To get the client IP from the text box that we have created. That is our second filter. That is text box. Let us create a drop down. So this is drop down checkbox radio button multiple select you have many options. You can choose whichever you want and the configuration is almost similar. This will be our I’ll choose for source itself select Source drop down example and I’ll select this token as drop down value. This should be without spaces.

So drop down value the default value, you can define it here. Give me all the sources. This is the display value and this is the argument that is passed for your search. So this will be my default value and I’ll add this IP IP number one, that is 87, 194, 216, 51, which is as part of our previous search criteria. You can also add IP number two and you can give any IP used to something like this, whichever you choose to give it as. And you can click on Apply and you can choose by default which value to select all our first IP or the second IP which we have selected here. As you can see, we have defined these values as part of static options.

In future tutorials we’ll see how we can generate these values as part of our dynamic filters for now. Static Values we have added three all that represents Star IP One represents some specific IP and any number of IPS can be followed upon by default. I’ll choose all. And I’ll click on apply save this. We know that even though we have added a filter, it doesn’t respond to our dashboard yet because we are not processing those information. As I reenter the default value that is Star, we’ll get all the information that we are looking for and we can see how to accept this drop down value. This is our token. We are again passing our client IP itself as part of our drop down.

The token definition is almost similar. Here we give the token as source for our text box. For dropdown we are giving it as drop down value. Click on apply. So here we have all the source. Let me choose IP One submit as you can see, we have got only results of IP One. In the similar way you can edit all these dashboards and add your drop downs respectively. At any point of time these dashboards can be customized. If you don’t need any of these filters, you can just click on Remove and it will be gone. This is one of the major benefits of Splunk, which makes it more customizable as per the needs and whenever it is not necessary, you can just delete these filters and rebuild your dashboard. Probably in a better fashion.