SlideShare une entreprise Scribd logo

Making Pretty Charts in Splunk

S
Splunk

Splunk Users' Conference 2010 session: how to effectively use Splunk to create compelling charts

Technologie
1  sur  50
Building pretty charts
Johnvey Hwang Splunk Inc.
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]
Q: Why are you making a chart? COMM153: Business Graphics, Fall 2010, Midterm exam
GraphJam.com
Step 1: Prep
What data is available?
Who is going to read it?
 
Decision Step 2: Visualize
 
Finished NOC dashboard
Tables are sexy.
Q2 Revenue $17.5B So are numbers.
Column chart
Line chart
Line chart (split)
Area chart (100% stacked)
Is ‘ Georgian ’ half or a third of ‘ Hawaiian ’? Is this linear, geometric, or exponential? Pie charts suck
Pie chart remedy
Trending is better Pulse = 90 vs.  
Time range: real-time Requires immediate response 30 second – 1 hour window
Time range: historical Multiple day – month window Time to respond is in weeks or months
Step 3: Build it
Report builder
Advanced charting view See search box and chart on one page
Search language: overview index=main error datacenter=SFO | timechart avg(bytes) by host event search clause transforming clause Over 100 search commands…
The dataset _time _raw host field1 18283495832 2010-08-10 08:52:01 ERROR: something went wrong on server Prod_apache_1 ERROR 18383827123 2010-08-10 08:52:01 INFO: redirect to a better page Prod_apache_2 INFO
Search language: timechart … | timechart span=1h count “ count the number of events per hour” … | timechart avg(delay) by host “ calculate the average delay and track each host separately” … | timechart avg(delay) min(delay) max(delay) “ calculate the average, minimum, and maximum delays per auto-bucket”
Search language: timechart index=_internal | timechart count by group
Search language: top … | top limit=50 users “ list the top 50 users” … | top major_version, minor_version “ list the top (10) combinations of major and minor versions” … | top source by host “ list the top sources grouped by most frequent host”
Search language: top index=_internal source="*access.log" | top uri_path | fields uri_path count
Search language: chart … | chart avg(delay) by sender “ list the average delay for every sender” … | chart max(bytes) over clientip by uri useother=f “ list the maximum bytes of the top ‘uri’ for every ‘clientip’”
Search language: chart index=_internal source="*access.log" | chart avg(bytes) by clientip
Search language: ctable … | ctable clientip http_status “ list every combination of ‘clientip’ and ‘http_status’ and their freqencies” … | ctable clientip http_status maxcols=10 “… restrict to a max of 10 http_status columns’”
Search language: ctable index=_internal source="*access.log" | ctable clientip status maxcols=10 maxrows=10
Search language: more stats : average, min, max, stdev, distinct count, mode, variance,… streamstats : calculate running statistics up to current event rangemap : bucket results into ranges like ‘low’, ‘medium’, ‘high’ kmeans : partition results into k-means clusters trendline : calculate moving averages accum : creates a new field of running total of any field
Step 4: Automate
Schedule it ,[object Object],[object Object],[object Object],[object Object]
Assemble dashboards
Step 5: Polish
What can you change? View CSS Chart properties
 
Custom CSS 1. Add custom CSS files to the app: $SPLUNK_HOME/etc/apps/<APP_NAME>/appserver/static/<FOO>.css 2. Restart splunkweb (only on first create) 3. Add to view: <view stylesheet=“FOO.css”> 4. Save to: $SPLUNK_HOME/etc/apps/<APP_NAME>/default/data/ui/views/<NAME>.css
 
Charting properties Hundreds of different properties available Ex: Common property to change tick label visibility: charting.primaryAxis.majorLabelVisibility = hide Ex: Area chart type-specific series stacking mode: charting.AreaChart.stackMode = stacked100 Ex: Common legend label width: charting.legend.labelStyle.maximumWidth = 500
 
Simple XML form <dashboard> <label>My dashboard</label> <row> <chart> <searchName>My saved report</searchName> <option name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </option> <option name=&quot; charting.legend.placement &quot;> top </option> </chart> </row> </dashboard>
Advanced XML form ... <module name=&quot;HiddenChartFormatter&quot;> <param name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </param> <param name=&quot; charting.legend.placement &quot;> top </param> <module name=&quot;FlashChart&quot; /> </module> ...
More help Charting reference documentation http://www.splunk.com/base/Documentation/latest/Developer/AdvancedCharting http://www.splunk.com/base/Documentation/latest/Developer/ChartReference Splunk community Q&A site http://answers.splunk.com Edward Tufte - “Father of data visualization” http://www.edwardtufte.com Blogs for inspiration http://infosthetics.com http:// smashingmagazine.com Demo material http://blogs.splunk.com/author/johnvey/

Recommandé

SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunk
 
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
Information security governance framework
Information security governance frameworkInformation security governance framework
Information security governance frameworkMing-Chang (Bright) Wu
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Nevada County Tech Connection
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 

Recommandé

SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunk
 
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...
Splunk conf2014 - Lesser Known Commands in Splunk Search Processing Language ...Splunk
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
Information security governance framework
Information security governance frameworkInformation security governance framework
Information security governance frameworkMing-Chang (Bright) Wu
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Nevada County Tech Connection
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response TriageAlbert Hui
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & OrchestrationSplunk
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Multi-Platform Application Monitoring
Multi-Platform Application Monitoring Multi-Platform Application Monitoring
Multi-Platform Application Monitoring HelpSystems
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
İnternet Üzerinde Anonimlik ve Tespit Yöntemleri
İnternet Üzerinde Anonimlik ve Tespit Yöntemleriİnternet Üzerinde Anonimlik ve Tespit Yöntemleri
İnternet Üzerinde Anonimlik ve Tespit YöntemleriBGA Cyber Security
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesInformation Technology
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Pegasus.pptx
Pegasus.pptxPegasus.pptx
Pegasus.pptxGaurav231104
 
seim.pptx
seim.pptxseim.pptx
seim.pptxfatima117475
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...
Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...
Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...uptime software
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk
 

Contenu connexe

Tendances

Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & OrchestrationSplunk
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101Splunk
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Multi-Platform Application Monitoring
Multi-Platform Application Monitoring Multi-Platform Application Monitoring
Multi-Platform Application Monitoring HelpSystems
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
İnternet Üzerinde Anonimlik ve Tespit Yöntemleri
İnternet Üzerinde Anonimlik ve Tespit Yöntemleriİnternet Üzerinde Anonimlik ve Tespit Yöntemleri
İnternet Üzerinde Anonimlik ve Tespit YöntemleriBGA Cyber Security
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesInformation Technology
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 

Tendances (20)

Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
Nmap
NmapNmap
Nmap
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Multi-Platform Application Monitoring
Multi-Platform Application Monitoring Multi-Platform Application Monitoring
Multi-Platform Application Monitoring
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
İnternet Üzerinde Anonimlik ve Tespit Yöntemleri
İnternet Üzerinde Anonimlik ve Tespit Yöntemleriİnternet Üzerinde Anonimlik ve Tespit Yöntemleri
İnternet Üzerinde Anonimlik ve Tespit Yöntemleri
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System Vulnerabilities
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Pegasus.pptx
Pegasus.pptxPegasus.pptx
Pegasus.pptx
 
seim.pptx
seim.pptxseim.pptx
seim.pptx
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 

En vedette

Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...
Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...
Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...uptime software
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersHarry McLaren
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT TroubleshootingSplunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT TroubleshootingSplunk
 
SplunkLive! Developer Session
SplunkLive! Developer SessionSplunkLive! Developer Session
SplunkLive! Developer SessionSplunk
 
MongoDB et Elasticsearch, meilleurs ennemis ?
MongoDB et Elasticsearch, meilleurs ennemis ?MongoDB et Elasticsearch, meilleurs ennemis ?
MongoDB et Elasticsearch, meilleurs ennemis ?Sébastien Prunier
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout SessionSplunk
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBMongoDB
 
Splunk in integration testing
Splunk in integration testingSplunk in integration testing
Splunk in integration testingAlbert Witteveen
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk
 
Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search Dojo Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search DojoSplunk
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
Big Data for Everyman
Big Data for EverymanBig Data for Everyman
Big Data for EverymanMichael Wilde
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitErin Sweeney
 
Splunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT ServicesSplunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT ServicesSplunk
 

En vedette (20)

Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...
Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...
Unified IT Monitoring: Beautiful Dashboards vs. Deep Reporting - What’s More ...
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data Science
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
 
Introducing Splunk – The Big Data Engine
Introducing Splunk – The Big Data EngineIntroducing Splunk – The Big Data Engine
Introducing Splunk – The Big Data Engine
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT TroubleshootingSplunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting
 
SplunkLive! Developer Session
SplunkLive! Developer SessionSplunkLive! Developer Session
SplunkLive! Developer Session
 
MongoDB et Elasticsearch, meilleurs ennemis ?
MongoDB et Elasticsearch, meilleurs ennemis ?MongoDB et Elasticsearch, meilleurs ennemis ?
MongoDB et Elasticsearch, meilleurs ennemis ?
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout Session
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
 
Using the Splunk Java SDK
Using the Splunk Java SDKUsing the Splunk Java SDK
Using the Splunk Java SDK
 
Splunk in integration testing
Splunk in integration testingSplunk in integration testing
Splunk in integration testing
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
 
Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search Dojo Splunk Ninja: New Features, Pivot and Search Dojo
Splunk Ninja: New Features, Pivot and Search Dojo
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
Big Data for Everyman
Big Data for EverymanBig Data for Everyman
Big Data for Everyman
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
 
Splunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT ServicesSplunk: How to Design, Build and Map IT Services
Splunk: How to Design, Build and Map IT Services
 

Similaire à Making Pretty Charts in Splunk

Setting Up a TIG Stack for Your Testing
Setting Up a TIG Stack for Your TestingSetting Up a TIG Stack for Your Testing
Setting Up a TIG Stack for Your TestingJet Liu
 
Serverless ML Workshop with Hopsworks at PyData Seattle
Serverless ML Workshop with Hopsworks at PyData SeattleServerless ML Workshop with Hopsworks at PyData Seattle
Serverless ML Workshop with Hopsworks at PyData SeattleJim Dowling
 
Hadoop Hive Talk At IIT-Delhi
Hadoop Hive Talk At IIT-DelhiHadoop Hive Talk At IIT-Delhi
Hadoop Hive Talk At IIT-DelhiJoydeep Sen Sarma
 
AWS Office Hours: Amazon Elastic MapReduce
AWS Office Hours: Amazon Elastic MapReduce AWS Office Hours: Amazon Elastic MapReduce
AWS Office Hours: Amazon Elastic MapReduce Amazon Web Services
 
Monitoring as Software Validation
Monitoring as Software ValidationMonitoring as Software Validation
Monitoring as Software ValidationBioDec
 
Netflix - Pig with Lipstick by Jeff Magnusson
Netflix - Pig with Lipstick by Jeff Magnusson Netflix - Pig with Lipstick by Jeff Magnusson
Netflix - Pig with Lipstick by Jeff Magnusson Hakka Labs
 
Putting Lipstick on Apache Pig at Netflix
Putting Lipstick on Apache Pig at NetflixPutting Lipstick on Apache Pig at Netflix
Putting Lipstick on Apache Pig at NetflixJeff Magnusson
 
Hadoop and HBase experiences in perf log project
Hadoop and HBase experiences in perf log projectHadoop and HBase experiences in perf log project
Hadoop and HBase experiences in perf log projectMao Geng
 
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 Databricks
 
Presentation on visual basic 6 (vb6)
Presentation on visual basic 6 (vb6)Presentation on visual basic 6 (vb6)
Presentation on visual basic 6 (vb6)pbarasia
 
Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...
Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...
Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...InfluxData
 
Getting Started on Hadoop
Getting Started on HadoopGetting Started on Hadoop
Getting Started on HadoopPaco Nathan
 
Optimizing Flex Applications
Optimizing Flex ApplicationsOptimizing Flex Applications
Optimizing Flex Applicationsdcoletta
 
Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...
Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...
Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...Ontico
 
TypeScript and SharePoint Framework
TypeScript and SharePoint FrameworkTypeScript and SharePoint Framework
TypeScript and SharePoint FrameworkBob German
 
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic SystemTimely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic SystemAccumulo Summit
 
[PLCUG] Splunk - complete Citrix environment monitoring
[PLCUG] Splunk - complete Citrix environment monitoring[PLCUG] Splunk - complete Citrix environment monitoring
[PLCUG] Splunk - complete Citrix environment monitoringJaroslaw Sobel
 

Similaire à Making Pretty Charts in Splunk (20)

Setting Up a TIG Stack for Your Testing
Setting Up a TIG Stack for Your TestingSetting Up a TIG Stack for Your Testing
Setting Up a TIG Stack for Your Testing
 
Java script
Java scriptJava script
Java script
 
Serverless ML Workshop with Hopsworks at PyData Seattle
Serverless ML Workshop with Hopsworks at PyData SeattleServerless ML Workshop with Hopsworks at PyData Seattle
Serverless ML Workshop with Hopsworks at PyData Seattle
 
Hadoop Hive Talk At IIT-Delhi
Hadoop Hive Talk At IIT-DelhiHadoop Hive Talk At IIT-Delhi
Hadoop Hive Talk At IIT-Delhi
 
AWS Office Hours: Amazon Elastic MapReduce
AWS Office Hours: Amazon Elastic MapReduce AWS Office Hours: Amazon Elastic MapReduce
AWS Office Hours: Amazon Elastic MapReduce
 
Monitoring as Software Validation
Monitoring as Software ValidationMonitoring as Software Validation
Monitoring as Software Validation
 
Lipstick On Pig
Lipstick On Pig Lipstick On Pig
Lipstick On Pig
 
Netflix - Pig with Lipstick by Jeff Magnusson
Netflix - Pig with Lipstick by Jeff Magnusson Netflix - Pig with Lipstick by Jeff Magnusson
Netflix - Pig with Lipstick by Jeff Magnusson
 
Putting Lipstick on Apache Pig at Netflix
Putting Lipstick on Apache Pig at NetflixPutting Lipstick on Apache Pig at Netflix
Putting Lipstick on Apache Pig at Netflix
 
Hadoop and HBase experiences in perf log project
Hadoop and HBase experiences in perf log projectHadoop and HBase experiences in perf log project
Hadoop and HBase experiences in perf log project
 
Hplan classic
Hplan classicHplan classic
Hplan classic
 
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
 
Presentation on visual basic 6 (vb6)
Presentation on visual basic 6 (vb6)Presentation on visual basic 6 (vb6)
Presentation on visual basic 6 (vb6)
 
Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...
Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...
Michael Hall [InfluxData] | Become an InfluxDB Pro in 20 Minutes | InfluxDays...
 
Getting Started on Hadoop
Getting Started on HadoopGetting Started on Hadoop
Getting Started on Hadoop
 
Optimizing Flex Applications
Optimizing Flex ApplicationsOptimizing Flex Applications
Optimizing Flex Applications
 
Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...
Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...
Peeking into the Black Hole Called PL/PGSQL - the New PL Profiler / Jan Wieck...
 
TypeScript and SharePoint Framework
TypeScript and SharePoint FrameworkTypeScript and SharePoint Framework
TypeScript and SharePoint Framework
 
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic SystemTimely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
 
[PLCUG] Splunk - complete Citrix environment monitoring
[PLCUG] Splunk - complete Citrix environment monitoring[PLCUG] Splunk - complete Citrix environment monitoring
[PLCUG] Splunk - complete Citrix environment monitoring
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Dernier (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Making Pretty Charts in Splunk

  • 3.
  • 4. Q: Why are you making a chart? COMM153: Business Graphics, Fall 2010, Midterm exam
  • 7. What data is available?
  • 8. Who is going to read it?
  • 9.  
  • 10. Decision Step 2: Visualize
  • 11.  
  • 14. Q2 Revenue $17.5B So are numbers.
  • 18. Area chart (100% stacked)
  • 19. Is ‘ Georgian ’ half or a third of ‘ Hawaiian ’? Is this linear, geometric, or exponential? Pie charts suck
  • 21. Trending is better Pulse = 90 vs.  
  • 22. Time range: real-time Requires immediate response 30 second – 1 hour window
  • 23. Time range: historical Multiple day – month window Time to respond is in weeks or months
  • 26. Advanced charting view See search box and chart on one page
  • 27. Search language: overview index=main error datacenter=SFO | timechart avg(bytes) by host event search clause transforming clause Over 100 search commands…
  • 28. The dataset _time _raw host field1 18283495832 2010-08-10 08:52:01 ERROR: something went wrong on server Prod_apache_1 ERROR 18383827123 2010-08-10 08:52:01 INFO: redirect to a better page Prod_apache_2 INFO
  • 29. Search language: timechart … | timechart span=1h count “ count the number of events per hour” … | timechart avg(delay) by host “ calculate the average delay and track each host separately” … | timechart avg(delay) min(delay) max(delay) “ calculate the average, minimum, and maximum delays per auto-bucket”
  • 30. Search language: timechart index=_internal | timechart count by group
  • 31. Search language: top … | top limit=50 users “ list the top 50 users” … | top major_version, minor_version “ list the top (10) combinations of major and minor versions” … | top source by host “ list the top sources grouped by most frequent host”
  • 32. Search language: top index=_internal source=&quot;*access.log&quot; | top uri_path | fields uri_path count
  • 33. Search language: chart … | chart avg(delay) by sender “ list the average delay for every sender” … | chart max(bytes) over clientip by uri useother=f “ list the maximum bytes of the top ‘uri’ for every ‘clientip’”
  • 34. Search language: chart index=_internal source=&quot;*access.log&quot; | chart avg(bytes) by clientip
  • 35. Search language: ctable … | ctable clientip http_status “ list every combination of ‘clientip’ and ‘http_status’ and their freqencies” … | ctable clientip http_status maxcols=10 “… restrict to a max of 10 http_status columns’”
  • 36. Search language: ctable index=_internal source=&quot;*access.log&quot; | ctable clientip status maxcols=10 maxrows=10
  • 37. Search language: more stats : average, min, max, stdev, distinct count, mode, variance,… streamstats : calculate running statistics up to current event rangemap : bucket results into ranges like ‘low’, ‘medium’, ‘high’ kmeans : partition results into k-means clusters trendline : calculate moving averages accum : creates a new field of running total of any field
  • 39.
  • 42. What can you change? View CSS Chart properties
  • 43.  
  • 44. Custom CSS 1. Add custom CSS files to the app: $SPLUNK_HOME/etc/apps/<APP_NAME>/appserver/static/<FOO>.css 2. Restart splunkweb (only on first create) 3. Add to view: <view stylesheet=“FOO.css”> 4. Save to: $SPLUNK_HOME/etc/apps/<APP_NAME>/default/data/ui/views/<NAME>.css
  • 45.  
  • 46. Charting properties Hundreds of different properties available Ex: Common property to change tick label visibility: charting.primaryAxis.majorLabelVisibility = hide Ex: Area chart type-specific series stacking mode: charting.AreaChart.stackMode = stacked100 Ex: Common legend label width: charting.legend.labelStyle.maximumWidth = 500
  • 47.  
  • 48. Simple XML form <dashboard> <label>My dashboard</label> <row> <chart> <searchName>My saved report</searchName> <option name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </option> <option name=&quot; charting.legend.placement &quot;> top </option> </chart> </row> </dashboard>
  • 49. Advanced XML form ... <module name=&quot;HiddenChartFormatter&quot;> <param name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </param> <param name=&quot; charting.legend.placement &quot;> top </param> <module name=&quot;FlashChart&quot; /> </module> ...
  • 50. More help Charting reference documentation http://www.splunk.com/base/Documentation/latest/Developer/AdvancedCharting http://www.splunk.com/base/Documentation/latest/Developer/ChartReference Splunk community Q&A site http://answers.splunk.com Edward Tufte - “Father of data visualization” http://www.edwardtufte.com Blogs for inspiration http://infosthetics.com http:// smashingmagazine.com Demo material http://blogs.splunk.com/author/johnvey/

Notes de l'éditeur

  1. Welcome!
  2. Intro
  3. There are 5 main steps you generally go through before you can have a meaningful and pleasing chart. Today we’re going to cover all 5 steps in Splunk. But before that, can you answer the obvious question…
  4. Do you actually have a reason for making a chart? What is the desired outcome? -- want some business intelligence? -- need to monitor something? -- or just for the hell of it? If you don’t know…
  5. Might I suggest GraphJam.com. -- can make lots of different charts -- can share them with friends -- can use pretty colors At least have a purpose in mind.
  6. Step 1: do you prep work. -- due-diligence -- mis-en-place The right questions can make your charting easier.
  7. Question #1: what data do you have at your disposal? -- Splunk can index anything -- any text, stream, file, packet, script Who owns the data? Are you going to have to ask permission?
  8. Question #2: Who is going to read it? -- Consider your audience when picking data to display. -- Technical staff generally want detailed information. -- Your boss may not. What is the reader going to do with it? -- make business decisions -- incidence response -- feel good -- look at pretty pictures -- be able to assign blame There was a story about a potential customer who was so excited about Splunk, threw everything at it. Then tried to discover who was to blame for a current production problem. Found out it was his friend. Radio silence. Splunk was that good.
  9. Think about what what format you want. More importantly, what will the caption be? You may end up a a slave to a less than desirable format if you just wing it. This chart: General Stanley McChrystal declared that &amp;quot;When we understand that slide, we&apos;ll have won the war&amp;quot; at a briefing in Kabul last summer Does not reflect well upon you.
  10. One way to visualize is to think about the big picture first.
  11. This is an example VP-level dashboard built entirely in Splunk * 60-day period * Shows medium-term trending; influences business decisions * dashboard.html template * custom view-specific CSS * HiddenSavedSearch module * HiddenChartFormatter module * SingleValue module
  12. This is a real-time dashboard intended for a NOC situation -- everything is on a 30-second window -- shows info that people may need to react to quickly I’ll cover both of those examples later in the talk.
  13. Note that both previous examples used tables! -- “visualization” doesn’t really just mean charts -- tables can be far more efficient at displaying certain kinds of data than charts
  14. Even simpler are single numeric values -- Apple’s Q2 revenue for example -- if context is well known, there’s no need to complicate matters with “chartjunk”
  15. OK, so on to charts. These are all native chart types that Splunk can render. I’ll be brief; I want to highlight how you match chart types to data. The column chart: -- great for inspecting discrete data -- can easily compare single value series on common axis -- identify trends
  16. The line chart: -- great for comparing multiple series -- compare on similar Y-axis
  17. Split line chart: -- variant of the line series -- great for when trending of individual series is wildly different
  18. The area chart -- use to track multiple series in relationship to each other -- in 100% form, very quickly see proportional changes over time
  19. The pie chart: do not use. -- cannot compare 2 slices together easily -- no common point of reference -- cannot determine distribution
  20. A column chart lets you actually see the data on comparable terms -- ‘Georgian’ is more than half the value of ‘Hawaiian’ -- &amp;quot;The only worse design than a pie chart is several of them.“ – Edward Tufte You can see the trend among data (in this case it’s exponential). Why is trending important?
  21. Example: -- in basic medical triage you must always record vitals over time -- walking into ER and only saying your pulse is 90 is useless -- you need to know if it’s rising or falling, or stable So what are you trending over? Well Splunk likes time…
  22. We’re going to focus on time-based ranges and the main modes of trending: Real-time: -- still one of the coolest things about splunk -- even if you know nothing about the data, it’s still cool to see stuff come in real-time What is it good for? -- things that require immediate response -- when you only need to see at most an hour of content; 30 seconds is also useful Examples: -- network operations -- security operations -- just in time operations
  23. The flip side is historical; what people typically expect What is it good for? -- making business decisions based on data -- 7, 30 day moving trends Examples: -- infrastructure planning -- bandwidth usage -- peak/off-peak tracking
  24. Finally! We cover the tools in Splunk that can make effective charts.
  25. How many people are familiar with the report builder? The standard report builder is accessible from the search interface -- you can start charting searches that are still in flight -- easy dropdown-based chart building -- handles simple cases
  26. How many people are familiar with the advanced charting view? Advanced charting is where most of us like to chart -- direct access to the search language -- tabular view below -- has common set of charting controls
  27. The search language is inspired by the UNIX command line -- typically the first command is assumed to be the ‘search’ command -- any number of commands can be chained together -- there are over 100 search commands that come with Splunk How many people are familiar with the search language? Novice? Intermediate? Advanced? There were a bunch of sessions on the search language (check your preso material if you didn’t attend) I’ll go through some of the workhorse commands used to generate charts…
  28. Splunk search results are nothing more than a big table of data -- the event text is copied into the ‘_raw’ field -- it’s just another field in the result set -- if you understand this, you will grasp the search language easily -- the UI depends on underscore fields (which are not displayed) Knowing that this is just a table, you can use search language to transform the results any which way you want
  29. This is the heavy hitter for any IT ops commands -- shows you over time what something is doing -- can take any of the stats commands and generate multiple series -- can control the granularity of the bucketing
  30. Here is an example of the timechart command that looks at Splunk internal components over time -- uses automatic defaults to determine sensible time buckets
  31. The ‘top’ command does what it sounds like -- displays the top values of any field in your results -- can do top n combinations -- can specify how many ordered items to return
  32. Display is great when paired with a bar chart, or column -- please don’t use pie charts (will cover that in a bit)
  33. This is the generic version of timechart -- behind the scenes, this powers ‘timechart’ -- in essence, plots some function of field A by field B -- like ‘timechart’, you can actually invoke the eval() command
  34. This example shows the average bytes transferred over a time period split by client IP addresses -- this is over every piece of data the Splunk knows about -- you can restrict by time window by just setting the time range
  35. The contingency table is not a graphical command, but is equally as powerful -- contingency is used very often in statistical analysis: determine if variable X really has an effect on measured property Y -- essentially is a counter: will tally combinations of X/Y
  36. Note that the Y is ‘clientip’ and X is ‘http_status’; the numbers in the middle of the table simply show the number of occurences -- you can then apply the heatmap decorator to visually differentiate hotspots
  37. There are lots of other commands than can manipulate the data any which way you want.
  38. Let Splunk do your dirty work -- automation can alleviate much of the manual labor -- no reason to always check splunk when it can email you
  39. Scheduling a saved search is the best practice -- defer work to off-peak hours -- allow multiple users to share results -- have Splunk alert you when certain conditions are met -- receive results via email, RSS plug: customizing and using scripted alerts Plug: monitoring with splunk
  40. Assembling multiple saved searches on a dashboard is great for overviews -- use simple dashboard creator -- takes existing saved searches and lets you arrange onto a dashboard -- don’t cram a ton of searches onto a dashboard: use multiple dashboards!
  41. The main areas of presentation-layer customizations fall into: -- view-level CSS: full access to override any CSS rules -- chart-level properties: each chart can have its own formatting
  42. This is the before picture: -- default CSS -- default charting properties -- uses the standard panels -- uses standard singleValue modules -- uses default charting properties: note the axis labels, legend, colors, etc
  43. You can have as many different CSS files on a per-app basis -- each view can reference any CSS file that is available in its app -- not going to cover CSS customization here; plenty of online resources -- recommend Firebug+Firefox or Chrome+Web Inspector
  44. After: -- this is simple CSS and charting properties applied -- no other structural changes involved Source is available online
  45. There are many different properties you can adjust on a per-chart basis -- these are set in XML configuration -- each property name is hierarchical -- dots are used to denote hierarchy -- http://www.splunk.com/base/Documentation/latest/Developer/AdvancedCharting -- http://www.splunk.com/base/Documentation/latest/Developer/ChartReference
  46. * Add link to advanced XML
  47. Promote usability sessions! We’re hiring