User talk:Niketnilay

From Splunk Wiki

Jump to: navigation, search

Topic 15: Following is an example of Orderflow Status Tracker using Status Indicator Custom visualization with Trellis Layout to split Status Indicators by status.

Step 1: Get Order Status in chronological order While the dashboard takes dummy status values, it expects Order flow status in chronological sequence i.e. created, confirmed, shipped, delivered etc.

Step 2: Add empty rows of order status with invalid time. append commands are used to add status with invalid time so that it creates a row for status which are not present for specific order.

Step 3: Perform dedup by status to ensure only one row per status for an order.

Step 4: Use eval to set up icon and color for Status Indicator Custom Visualization. Time field is used as value (For example I have used time in %H:%M format. it can be anything else as per Order SLA.

Step 5: Ensure that Order Status are sorted by prefix sequence number and feed to stats command.

Step 6: Override CSS style for Status Indicators to apply border-radius to turn from square to oval.

PS: a) Trellis does not sort even if the table is sorted using sort command. b) Trellis gives split option by status only if stats command is used. Not through table even though both give single row per status.

OrderFlowStatus Oval.png

Following is the Simple XML code used for attached screenshot:

<dashboard>
   <label>Order Flow Status by Status Indicator with Trellis Layout</label>
   <row>
    <panel>
      <html depends="$alwaysHideCSSOverride$">
        <style>
          .splunk-status-indicator {
            border-radius: 25px !important;
          }
        </style>
      </html>
    </panel>
   </row>
   <row>
     <panel>
       <title>Order Confirmed</title>
       <viz type="status_indicator_app.status_indicator">
         <search>
           <query>| makeresults
 | eval _time=strptime("09/20/2017 01:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Created"
 | append[ | makeresults
 | eval _time=strptime("09/20/2017 02:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Confirmed"]
 | append [ | makeresults
   | eval status="Created"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Confirmed"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Rejected"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Shipped"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | append [ | makeresults
   | eval status="Delivered"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | dedup status
 | eval icon=case(status=="Created","cart-plus",status=="Confirmed","calendar-check-o",status=="Rejected","calendar-times-o",status=="Shipped","paper-plane",status=="Delivered","gift")
 | eval time=strftime(_time,"%H:%M %p")
 | eval time=case(isnull(time),"N/A",true(),time)
 | eval color=case(status=="Created" AND time=="N/A","grey",status=="Created" AND time!="N/A","green",status=="Confirmed" AND time=="N/A","grey",status=="Confirmed" AND time!="N/A","green",status=="Rejected" AND time=="N/A","grey",status=="Rejected" AND time!="N/A","red",status=="Shipped" AND time=="N/A","grey",status=="Shipped" AND time!="N/A","green",status=="Delivered" AND time=="N/A","grey",status=="Delivered" AND time!="N/A","green")
 | table status time icon color
 | eval status=case(status=="Created","1.Created",status=="Confirmed","2a.Confirmed",status=="Rejected","2b.Rejected",status=="Shipped","3.Shipped",status=="Delivered","4.Delivered")
 | stats values(time) as time values(icon) as icon values(color) as color by status
 | sort time</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="drilldown">none</option>
         <option name="height">200</option>
         <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
         <option name="status_indicator_app.status_indicator.fillTarget">background</option>
         <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
         <option name="status_indicator_app.status_indicator.icon">field_value</option>
         <option name="status_indicator_app.status_indicator.precision">0</option>
         <option name="status_indicator_app.status_indicator.showOption">1</option>
         <option name="status_indicator_app.status_indicator.staticColor">#555</option>
         <option name="status_indicator_app.status_indicator.useColors">true</option>
         <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
         <option name="trellis.enabled">1</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">small</option>
         <option name="trellis.splitBy">status</option>
       </viz>
     </panel>
   </row>
   <row>
     <panel>
       <title>Order Rejected</title>
       <viz type="status_indicator_app.status_indicator">
         <search>
           <query>| makeresults
 | eval _time=strptime("09/20/2017 01:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Created"
 | append[ | makeresults
 | eval _time=strptime("09/20/2017 03:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Rejected"]
 | append [ | makeresults
   | eval status="Created"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Confirmed"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Rejected"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Shipped"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | append [ | makeresults
   | eval status="Delivered"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | dedup status
 | eval icon=case(status=="Created","cart-plus",status=="Confirmed","calendar-check-o",status=="Rejected","calendar-times-o",status=="Shipped","paper-plane",status=="Delivered","gift")
 | eval time=strftime(_time,"%H:%M %p")
 | eval time=case(isnull(time),"N/A",true(),time)
 | eval color=case(status=="Created" AND time=="N/A","grey",status=="Created" AND time!="N/A","green",status=="Confirmed" AND time=="N/A","grey",status=="Confirmed" AND time!="N/A","green",status=="Rejected" AND time=="N/A","grey",status=="Rejected" AND time!="N/A","red",status=="Shipped" AND time=="N/A","grey",status=="Shipped" AND time!="N/A","green",status=="Delivered" AND time=="N/A","grey",status=="Delivered" AND time!="N/A","green")
 | table status time icon color
 | eval status=case(status=="Created","1.Created",status=="Confirmed","2a.Confirmed",status=="Rejected","2b.Rejected",status=="Shipped","3.Shipped",status=="Delivered","4.Delivered")
 | stats values(time) as time values(icon) as icon values(color) as color by status
 | sort time</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="drilldown">none</option>
         <option name="height">200</option>
         <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
         <option name="status_indicator_app.status_indicator.fillTarget">background</option>
         <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
         <option name="status_indicator_app.status_indicator.icon">field_value</option>
         <option name="status_indicator_app.status_indicator.precision">0</option>
         <option name="status_indicator_app.status_indicator.showOption">1</option>
         <option name="status_indicator_app.status_indicator.staticColor">#555</option>
         <option name="status_indicator_app.status_indicator.useColors">true</option>
         <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
         <option name="trellis.enabled">1</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">small</option>
         <option name="trellis.splitBy">status</option>
       </viz>
     </panel>
   </row>
   <row>
     <panel>
       <title>Order Shipped</title>
       <viz type="status_indicator_app.status_indicator">
         <search>
           <query>| makeresults
 | eval _time=strptime("09/20/2017 01:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Created"
 | append[ | makeresults
 | eval _time=strptime("09/20/2017 02:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Confirmed"]
 | append[ | makeresults
 | eval _time=strptime("09/20/2017 03:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Shipped"]
 | append [ | makeresults
   | eval status="Created"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Confirmed"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Rejected"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Shipped"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | append [ | makeresults
   | eval status="Delivered"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | dedup status
 | eval icon=case(status=="Created","cart-plus",status=="Confirmed","calendar-check-o",status=="Rejected","calendar-times-o",status=="Shipped","paper-plane",status=="Delivered","gift")
 | eval time=strftime(_time,"%H:%M %p")
 | eval time=case(isnull(time),"N/A",true(),time)
 | eval color=case(status=="Created" AND time=="N/A","grey",status=="Created" AND time!="N/A","green",status=="Confirmed" AND time=="N/A","grey",status=="Confirmed" AND time!="N/A","green",status=="Rejected" AND time=="N/A","grey",status=="Rejected" AND time!="N/A","red",status=="Shipped" AND time=="N/A","grey",status=="Shipped" AND time!="N/A","green",status=="Delivered" AND time=="N/A","grey",status=="Delivered" AND time!="N/A","green")
 | table status time icon color
 | eval status=case(status=="Created","1.Created",status=="Confirmed","2a.Confirmed",status=="Rejected","2b.Rejected",status=="Shipped","3.Shipped",status=="Delivered","4.Delivered")
 | stats values(time) as time values(icon) as icon values(color) as color by status
 | sort time</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="drilldown">none</option>
         <option name="height">200</option>
         <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
         <option name="status_indicator_app.status_indicator.fillTarget">background</option>
         <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
         <option name="status_indicator_app.status_indicator.icon">field_value</option>
         <option name="status_indicator_app.status_indicator.precision">0</option>
         <option name="status_indicator_app.status_indicator.showOption">1</option>
         <option name="status_indicator_app.status_indicator.staticColor">#555</option>
         <option name="status_indicator_app.status_indicator.useColors">true</option>
         <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
         <option name="trellis.enabled">1</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">small</option>
         <option name="trellis.splitBy">status</option>
       </viz>
     </panel>
   </row>
   <row>
     <panel>
       <title>Order Delivered</title>
       <viz type="status_indicator_app.status_indicator">
         <search>
           <query>| makeresults
 | eval _time=strptime("09/20/2017 01:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Created"
 | append[ | makeresults
 | eval _time=strptime("09/20/2017 02:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Confirmed"]
 | append[ | makeresults
 | eval _time=strptime("09/20/2017 03:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Shipped"]
 | append[ | makeresults
 | eval _time=strptime("09/20/2017 04:00:00","%m/%d/%Y %H:%M:%S")
 | eval status="Delivered"]
 | append [ | makeresults
   | eval status="Created"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Confirmed"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Rejected"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")]  
 | append [ | makeresults
   | eval status="Shipped"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | append [ | makeresults
   | eval status="Delivered"
   | eval _time=strptime("99/99/9999 99:99:99","%m/%d/%Y %H:%M:%S")] 
 | dedup status
 | eval icon=case(status=="Created","cart-plus",status=="Confirmed","calendar-check-o",status=="Rejected","calendar-times-o",status=="Shipped","paper-plane",status=="Delivered","gift")
 | eval time=strftime(_time,"%H:%M %p")
 | eval time=case(isnull(time),"N/A",true(),time)
 | eval color=case(status=="Created" AND time=="N/A","grey",status=="Created" AND time!="N/A","green",status=="Confirmed" AND time=="N/A","grey",status=="Confirmed" AND time!="N/A","green",status=="Rejected" AND time=="N/A","grey",status=="Rejected" AND time!="N/A","red",status=="Shipped" AND time=="N/A","grey",status=="Shipped" AND time!="N/A","green",status=="Delivered" AND time=="N/A","grey",status=="Delivered" AND time!="N/A","green")
 | table status time icon color
 | eval status=case(status=="Created","1.Created",status=="Confirmed","2a.Confirmed",status=="Rejected","2b.Rejected",status=="Shipped","3.Shipped",status=="Delivered","4.Delivered")
 | stats values(time) as time values(icon) as icon values(color) as color by status
 | sort time</query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="drilldown">none</option>
         <option name="height">200</option>
         <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
         <option name="status_indicator_app.status_indicator.fillTarget">background</option>
         <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
         <option name="status_indicator_app.status_indicator.icon">field_value</option>
         <option name="status_indicator_app.status_indicator.precision">0</option>
         <option name="status_indicator_app.status_indicator.showOption">1</option>
         <option name="status_indicator_app.status_indicator.staticColor">#555</option>
         <option name="status_indicator_app.status_indicator.useColors">true</option>
         <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
         <option name="trellis.enabled">1</option>
         <option name="trellis.scales.shared">1</option>
         <option name="trellis.size">small</option>
         <option name="trellis.splitBy">status</option>
       </viz>
     </panel>
   </row>
 </dashboard>

Topic 14: SimpleXML JS Extension: Example (i) Dashboard Refresh button and Example (ii) Token Unset Button

Example i Dashboard Refresh button

Refresh button can be created in Splunk using HTML panel and bootstrapped using Splunk's style-guide i.e. http://<SplunkServerName>/en-US/static/docs/style/style-guide.html. Then SimpleXML JS Extension can be used to wire jQuery to refresh dashboard on clicking on Refresh button.

Refresh Dashboard on Button Click.png

Following is the JavaScript file refresh_button.js to be included in dashboard:


require([ 'jquery', 'splunkjs/mvc/simplexml/ready!' ], function($){ $('#refresh').on("click",function(){ setTimeout("location.reload();", 0); }); });


Following is the Dashboard SimpleXML code:


<dashboard script="refresh_button.js"> <label>Refresh Dashboard on Button Click</label> <row> <panel> <html> <button id="refresh" type="button" class="btn btn-primary">Refresh <i class="icon-rotate" style="font-size: 1em;"/> </button> </html> </panel> </row> <row> <panel> <viz type="status_indicator_app.status_indicator"> <search> <query>| makeresults | fieldformat _time=strftime(_time,"%c") | eval color="#6db7c6" | eval icon="clock-o" | table _time icon color</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="height">150</option> <option name="drilldown">none</option> <option name="status_indicator_app.status_indicator.colorBy">static_color</option> <option name="status_indicator_app.status_indicator.fillTarget">background</option> <option name="status_indicator_app.status_indicator.fixIcon">warning</option> <option name="status_indicator_app.status_indicator.icon">fix_icon</option> <option name="status_indicator_app.status_indicator.precision">0</option> <option name="status_indicator_app.status_indicator.showOption">1</option> <option name="status_indicator_app.status_indicator.staticColor">#6db7c6</option> <option name="status_indicator_app.status_indicator.useColors">true</option> <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option> </viz> </panel> </row> </dashboard>

Example (ii) Token Unset Button

On Similar lines following examples sets token1 and token2 through table <drilldown> event handler using field which is clicked i.e. Tokens and setting based on $row.<fieldValue>$ Following is the Javascript, reset_tokens.js, which handles Reset button's click() event through jQuery selector based on button id which is #reset. It uses Splunks EventHandler library to unset the tokens:

Unset tokens on Button Click.png

require([ 'jquery', 'splunkjs/mvc/simplexml/eventhandler' ], function( $, EventHandler){ $('#reset').on("click",function(){ EventHandler.unsetToken("token1"); EventHandler.unsetToken("token2"); }); });

Following is the dashboard code in SimpleXML with reference to reset_tokens.js for JavaScript Extension:

<form script="reset_tokens.js"> <label>Table Row Drilldown Reset Tokens</label> <row> <panel> <html> <button class="btn btn-primary" id="reset">Reset <i class="icon-rotate" style="font-size:1em"/></button> </html> <table> <search> <query>| makeresults | eval "Click Token to"="Set Token 1", Token="token1" | append [| makeresults | eval "Click Token to"="Set Token 2", Token="token2"] | table "Click Token to" Token</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <condition field="Token"> <eval token="token1">case($row.Token$="token1","true")</eval> <eval token="token2">case($row.Token$="token2","true")</eval> </condition> <condition> <!-- Do nothing when other column is clicked --> </condition> </drilldown> </table> </panel> </row> <row> <panel> <title>Chart 1</title> <single depends="$token1$"> <search> <query>|makeresults | eval chart1="token1 is set - $token1$" | table chart1</query> </search> <option name="drilldown">all</option> </single> </panel> <panel> <title>Chart 2</title> <single depends="$token2$"> <search> <query>|makeresults | eval chart2="token2 is set - $token2$" | table chart2</query> </search> <option name="drilldown">all</option> </single> </panel> </row> </form>

Topic 13: Use text box as multi-value input for Multiselect input using SimpleXML

Multiselect input box does not allow copy-pasting multiple values at single shot. Hence input has to be provided one at a time.

Multiselect input by copy paste.png

Following run anywhere example based on Splunk's _internal index uses a Text Box to update the multiselect input values by splitting comma separated inputs:

<form> <label>Multiselect input examples</label> <description>Copy paste values to Multiselect input via text box</description> <fieldset submitButton="false"> <input type="multiselect" token="selMult" searchWhenChanged="true"> <label>Select Multiple Inputs</label> <valuePrefix>component="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>component</fieldForLabel> <fieldForValue>component</fieldForValue> <search> <query>index=_internal sourcetype=splunkd log_level!="INFO" | stats count by component | sort component | table component</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="text" token="selText" searchWhenChanged="true"> <label>Override Multiselect Values (Copy Paste Comma Separated Text in Text Box)</label> <change> <condition match="len($value$)>0"> <eval token="selMult">split($value$,",")</eval> <eval token="form.selMult">split($value$,",")</eval> </condition> </change> </input> </fieldset> <row> <panel> <chart> <search> <query>index=_internal sourcetype=splunkd log_level!="INFO" $selMult$ | timechart count by component</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">area</option> <option name="charting.chart.nullValueMode">zero</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> </form>

PS: Only not data in Text Box has been handled. Validation of comma separated values can be done using JavaScript Regular Expression on the Text Box.


Step 1: Add `id` attribute for the panel which requires Tooltip on hover.

Topic 12: Show Tooltip Text on hovering over Panel (Static/Dynamic)

This little section shows step by step process to add (static/dynamic) Tooltip text to Panels on hovering over them.

Panel-Tooltip-On MouseHover.png

Step 1: Add `id` attribute for the panel which requires Tooltip on hover.

   <panel id="panel1">

Step 2: Add <html> panel to the panel. The html panel should also contain id to easily apply CSS for aligning the Tooltip text in Center of the panel. Any other approach for applying CSS Tooltip can also be adopted. However, make sure that Splunk's default Tooltip style should not be overridden.

Add depends section for showing or hiding the Tooltip via a token which will be set/unset later via JavaScript. PS: rejects can be used in place of depends to test out CSS Style and to test whether the Tooltip position and text is as expected or not.

Add the HTML code with classes for Tooltip. This is based on Splunk's Bootstrap example provided in style_guide.html

     <html id="htmlToolTip1" depends="$tokToolTipShow1$">
        <!-- Style for Tooltip Text for center alignment with panel -->
        <style>
          #htmlToolTip1{
            margin:auto !important;
            width: 20% !important;
          }
        </style>
        <div class="tooltip fade top in">
          <div class="tooltip-arrow"/>
          <div class="tooltip-inner">$tokToolTipText1$</div>
        </div>
      </html>

Step 3: Set Tooltip Text Token (tokToolTipText1) (Static or Dynamic). PS: this is different than Show Tooltip Text token (tokToolTipShow1)

Ideal place to declare Static Tooltip Text token is <init> tag in Splunk Dashboard (in version 6.5 onward)

 <init>
    <set token="tokToolTipText1">Tooltip1 Text Goes Here</set>
  </init>

Dynamic Token can be set via Splunk Event Handlers or Environment tokens. Search event handler has been used to set Tooltip text token tokToolTipText1 in the following example:

     <table>
        <search>
          <query>index=_internal sourcetype=* 
| chart count sparkline(count, 1h) as trend by sourcetype 
| sort -count 
| head 5</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <done>
            <set token="tokToolTipText1">Tooltip1: Search returned $job.resultCount$ Results!</set>
          </done>
        </search>
        <option name="drilldown">none</option>
      </table>


Step 4: Wire in jQuery based JavaScript panel_tooltip.js to handle mouseover and mouseout() event handlers for Panel based on Panel ID given in Step 1

require([ "splunkjs/mvc", "splunkjs/mvc/tokenutils", "jquery", "splunkjs/mvc/searchmanager", "splunkjs/ready!", "splunkjs/mvc/simplexml/ready!" ], function( mvc, TokenUtils, $, SearchManager ) { //jQuery to access Panel with ID and use mvc.Components.get() function to get all Submitted Tokens. //On mouseover() event set the show token for the Tooltip $('#panel1').on("mouseover",function(){ var tokens = mvc.Components.get("submitted"); tokens.set("tokToolTipShow1", "true"); }); //On mouseout() event unset the show token for the Tooltip to hide the same. $('#panel1').on("mouseout",function(){ var tokens = mvc.Components.get("submitted"); tokens.unset("tokToolTipShow1"); }); } );

Step 5: Place `panel_tooltip.js` file in the Splunk App's `appserver\static` folder. Depending on the Splunk Installation path and your Splunk app name the static folder might be located under the following path.

   $SPLUNK_HOME\etc\app\<YourAppName>\appserver\static

Step 6: Add panel_tooltip.js JavaScript to the dashboard and refresh/bump or restart Splunk. This may require clearing browser history as well.


<dashboard script="panel_tooltip.js"> OR <form script="panel_tooltip.js">

Topic 11: Types of jQuery Sparklines in Splunk (besides Line and Bar that we know :))

Splunk officially only supports two sparklines Line and bar (examples present on Splunk 6.x Dashboard Examples App from Splunkbase). However, these are based on jQuery Sparklines built by Omnipotent:

All the examples present on Omnipotent site are actually available in Splunk. Just the Sparline type needs to be changed between: 1) bar 2) line 3) pie 4) tristate 5) bullet 6) discrete 7) box

Omnipotent jQuery Sparklines in Splunk.png

For example following is the code to show pie-chart sparkline:

       <format field="trend" type="sparkline">
          <option name="type">line</option>
        </format>

Topic 10: Fixing build error for Splunk Custom Visualization API on a Windows Machine:

Documented steps for building Custom Visualization example using the Custom Visualization API results in error on Windows Machine. http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizTutorial

Custom Visualization API Example has been built/tested on *NIX system, and documented steps reflect the same. Since there is a difference in setting Environment Variable and accessing the same between *NIX System and Windows, the package.json available with example needs to be modified to follow Windows nomenclature. For understanding the differences between *nix and Windows in Splunk operations, refer to the documentation: http://docs.splunk.com/Documentation/Splunk/latest/Admin/DifferencesbetweenunixandwindowsinSplunkoperations

Following is the change required to package.json, which should be located at the following path as per documented steps of building Custom Visualization in Splunk:

 SPLUNK_HOME\etc\apps\<VisualizationAppName>\appserver\static\visualizations\<VisualizationName>

For example:

 SPLUNK_HOME\etc\apps\viz_tutorial_app\appserver\static\visualizations\radial_meter  
  "scripts": {
     "build": "%SPLUNK_HOME%/bin/splunk cmd node ./node_modules/webpack/bin/webpack.js",
     "devbuild": "%SPLUNK_HOME%/bin/splunk cmd node ./node_modules/webpack/bin/webpack.js --progress",
     "watch": "%SPLUNK_HOME%/bin/splunk cmd node ./node_modules/webpack/bin/webpack.js -d --watch --progress"
   }

PS: I had to manually update the label for Custom Visualization App name which was picked up as $label instead of "Radial Meter". From: Splunk UI from App Manager > $label > Settings > Name

Topic 9: Modal Error Message Window based on bootstrap element in Splunk:

Following code should open modal window with Validation Error Message, when users click on Submit and input value for College dropdown is not selected or empty.

SplunkValidationMessage Modal Window.png

Step 1: Provided you have a dropdown defined like the following with change event to unset/set validation error message tokenAlert based on value selected or not respectively:

   <fieldset autoRun="false" submitButton="true" position="top">
      <input type="dropdown" token="input1" searchWhenChanged="false">
        <label>College</label>
        <choice value="abc">ABC</choice>
        <choice value="def">DEF</choice>
        <change>
          <condition match="isnull($value$)">
            <set token="tokAlert">No College Selected</set>
          </condition>
          <condition>
            <unset token="tokAlert"></unset>
          </condition>
        </change>
      </input>
    </fieldset>

Step 2: Code for HTML Panel in Simple XML with modal window which is hidden by default (through style="display: none;" and aria-hidden="true" attributes):

  <row>
     <panel>
       <!--HTML for Modal View to Display Validation Messages-->
       <!--Hidden by default-->
       <!--Shows up on Submit button click based on validation errors-->
       <html>
         <div class="section" id="modals">
           <div class="modal hide fade" id="myModal" style="display: none;" aria-hidden="true">
               <div class="modal-header">
                   <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
                   <h3>Validation Message</h3>
               </div>
               <div class="modal-body">
                   <p>$tokAlert$</p>
               </div>
           </div>
         </div>
       </html>
     </panel>
   </row>

Step 3: Following JavaScript code is used to show the modal window, when tokenAlert is set with Validation Error Message:

require([
     'splunkjs/mvc',
     'jquery',
     'splunkjs/mvc/simplexml/ready!'
 ], function(mvc,$){
     $('#submit').on("click", function() {
         var submittedTokens = mvc.Components.get("submitted");
         var input1Token = submittedTokens.get("tokAlert"); //Token tokAlert is set             
         console.log("input1Token:",input1Token);
         if(input1Token){
             $('#myModal').modal('show'); //Shows Modal window with Validation Message set in SimpleXML through HTML Panel
         };
     });
 });

Step 4: If you have saved above JavaScript as validation_error_show_modal.js, then include the same as script in your form tag in simple XML

 <form script="validation_error_show_modal.js">

PS: Simple XML CSS Extension or Simple XML JS Extension require bumping of Splunk environment. So refresh/restart Splunk and also clear internet browser history if required.

Topic 8: Splunk Inputs align options/choices horizontally using CSS

Splunk input choices tend to show up in separate lines(vertically). Following CSS override explains using Checkbox input as an example to show the choices in the same line (horizontal):

Horizontal Checkboxes.png


  Following is the Simple XML code of a checkbox with several options version 7.2
  <form>
    <label>Checkbox Same row</label>
    <row>
       <panel>
         <input type="checkbox" token="input_checkbox" searchWhenChanged="true" id="input_checkbox">
           <label>Checkbox</label>
           <choice value="*">Nothing</choice>
           <choice value="V1">Value1</choice>
           <choice value="V2">Value2</choice>
           <choice value="V3">Value3</choice>
           <delimiter>;</delimiter>
           <default>*</default>
           <initialValue>*</initialValue>
         </input>
       </panel>
     </row>
     <row>
        <html depends="$alwaysHideCSSStyle$">
          <style>
           #input_checkbox div[data-component="splunk-core:/splunkjs/mvc/components/CheckboxGroup"]{
             display: inline-flex !important;
           }
           #input_checkbox div[data-component="splunk-core:/splunkjs/mvc/components/CheckboxGroup"] div[data-test="switch"]{
             padding-right:10px !important;
           }
           #input_checkbox{
             width: 200% !important;
           }
          </style>
        </html>
    </row>
   </form>
  Following is the Simple XML code of a checkbox with several options version 7.0 and previous versions.
  <row>
     <panel>
       <input type="checkbox" token="input_checkbox" searchWhenChanged="true" id="input_checkbox">
         <label>Checkbox</label>
         <choice value="*">Nothing</choice>
         <choice value="V1">Value1</choice>
         <choice value="V2">Value2</choice>
         <choice value="V3">Value3</choice>
         <delimiter>;</delimiter>
         <default>*</default>
         <initialValue>*</initialValue>
       </input>
     </panel>
   </row>
   <row>
      <html depends="$alwaysHideCSSStyle$">
        <style>
         #input_checkbox .control.shared-controls-syntheticcheckboxcontrol.control-default{
           display: inline-block !important;
         }
         #input_checkbox{
           width: 200% !important;
         }
        </style>
      </html>
    </row>

PS: Width of checkbox has been doubled (200%) to prevent wrapping of choices to the next line. This can be adjusted based on needs/number/values of input choices. Style has been applied through style tag with html panel which is always hidden via depends attribute of a token which is never set.

Topic 7: Show Percent in Stacked Column Chart instead of Values and highlight Data Labels as White color through CSS

Following is a run anywhere search for Splunk's _internal index:

1) Chart is prepared with values. Just for simplicity, date_seconds to be used as duration in seconds.

2) rename * as Count* followed by rename Countcomponent as component is used to convert all Value fields to be prefixed with Count.

3) Total field is initialized with 0.

4) foreach is used to calculate Total of each component.

5) foreach is used to convert all Total Value to Percent with round used to set precision to 1 digit after decimal

6) Total field is removed as the same is not required to be displayed in chart.

index=_internal sourcetype=splunkd log_level!=INFO
 | stats count as errors by component date_hour
 | eval date_hour=case(len(date_hour)=1,"0".date_hour,true(),date_hour)
 | chart sum(errors) as Total over component by date_hour limit=24 useother=f usenull=f
 | rename * as count*
 | rename countcomponent as component
 | fillnull value=0
 | eval Total=0
 | foreach count* [eval Total=Total+'<<FIELD>>']
 | foreach count* [eval <<FIELD>>=round(('<<FIELD>>'/Total)*100,1)]
 | fields - Total
 | rename count* as *

In order to display data labels as White(to highlight percent values inside stacked Column chart, CSS override is done via hidden HTML panel with style tag(same can also be moved to separate CSS file to be included in the dashboard).

     <html depends="$alwaysHideCSSOverride$">
         <style>
           #myHighChart g.highcharts-data-label text{
             fill: white !important;
           }
         </style>
       </html>  

PS: chart to display stacked percent results from the search query has id="mychart", in order to apply CSS only to the required chart.

Show Percent on Chart - Bar or Column.png

In order to format the results as Stacked Percent with Y-axis between 0 to 100 with interval of 10 following Simple XML configurations have been used:

       <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.axisLabelsY.majorUnit">10</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>

Following is the run anywhere Dashboard code(Simple XML)

PS: & lt ; needs to be used instead of < and & gt ; needs to be used instead of > in the Dashboard Search Query. Following code is getting escaped in Wiki Talk.

<dashboard script="highchart_data_label_percent.js"> <label>Splunk Answers 666775 - Percent on Bar Chart</label> <row> <panel> <title>Splunk Component Error % by Hour</title> <html> <style> #myHighChart g.highcharts-data-label text{ fill: white !important; } </style> </html> <chart id="myHighChart"> <search> <query>index=_internal sourcetype=splunkd log_level!=INFO | stats count as errors by component date_hour | eval date_hour=case(len(date_hour)=1,"0".date_hour,true(),date_hour) | chart sum(errors) as Total over component by date_hour limit=24 useother=f usenull=f | rename * as count* | rename countcomponent as component | fillnull value=0 | eval Total=0 | foreach count* [eval Total=Total+'<<FIELD>>'] | foreach count* [eval <<FIELD>>=round(('<<FIELD>>'/Total)*100,1)] | fields - Total | rename count* as *</query> <earliest>-1d@d</earliest> <latest>@d</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisLabelsY.majorUnit">20</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.maximumNumber">100</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="height">540</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> </dashboard>

Following is the JavaScript highchart_data_label_percent.js

require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($,mvc){ mvc.Components.get("myHighChart").getVisualization(function(chartView) { chartView.on("rendered", function() { $("#myHighChart g.highcharts-data-label text:not(:contains(%)) tspan").after(" %"); $("#myHighChart g.highcharts-yaxis-labels text:not(:contains(%)) tspan").after(" %"); }); }); });

Topic 6: Add resize option to Multiselect input

Multiselect input in Splunk has fixed width and height keeps on increasing as new filter is added. Hence it consumes a lot of real-estate space of filter section in the dashboard.

Multiselect Resize Option.png

Following CSS override allows us to control the following three issues of Multiselect inputs: 1) Width/Height can be initialized as per our need. (PS: For the height to remain fixed CSS override height: 500px !important; needs to be applied via CSS. Which implies that the height can not be resized) 2) Width/Height can be changed as per our need.

Following is the CSS to be applied (PS: while the following is generic, CSS should be made specific to individual dashboards using ID and Class etc)

  .splunk-multidropdown .select2-choices{
     width: 500px;
     resize:both;
     overflow:auto;
   }

Topic 5: HTTP Event Collector (HEC) in Windows using cURL with Postman

This extends the HEC walk-through for Windows using cURL with Postman which is not covered in Splunk Dev site: http://dev.splunk.com/view/event-collector/SP-CAAAE7F

Step 1 Set Post End-Point name: http://<YourHostName>:8088/services/collector

Step 2 Add Headers (Key/Value Pairs): (1) Authorization: Splunk <YourHECToken> (2) Content-Type:application/json

Step 3 Set JSON Payload Body: {"sourcetype": "mysourcetype", "event":"HEC New Data"}

Post Packet Setting Part 1.png

Post Packet Setting Part 2.png

PS: I had to disable SSL and test out with http URL instead of https for post due to system configuration.

SSL requires correct settings.png

Topic 4: Using Angular JS in Splunk HTML dashboard

Angular Controller does not seem to work in Simple XML dashboard, hence conversion to HTML Dashboard might be required.

Splunk HTML Dashboard With AngularJS.png


Step 1: create HTML panel in Splunk Simple XML dashboard (note it will not work right away):


    <row>
       <panel>
         <html>
            <!-- ng-controller will work only in HTML Dashboard-->
            <div ng-app="myApp" ng-controller="myCtrl">
                <h1 ng-repeat="x in records">{{x}}</h1>
            </div>
         </html>
       </panel>
    </row>

Step 2: Create a script for Angular code say angular_dashboard_names.js:


   var app = angular.module("myApp", []);
   app.controller("myCtrl", function($scope) {
       $scope.records = [
           "Dashboard1",
           "Dashboard2",
           "Dashboard3",
           "Dashboard4"
       ]
   });


Step 3: Get local copy of angular.min.js and save to your appserver/static folder (might have to created, if it does not exist).:


Depending on Splunk App name, path may be something like the following:

   $SPLUNK_HOME/etc/app/<YourAppName>/appserver/static

Step 4: Add JS script files to root node of the dashboard (depending on whether the view is dashboard or form):


Either

   <dashboard script="angular.min.js,angular_dashboard_names.js">

Or

   <form script="angular.min.js,angular_dashboard_names.js">


Step 5: Convert the dashboard from Simple XML to HTML using Convert to HTML option:


PS: If it does not work you might have to bump Splunk and try ( i.e. restart Splunk and refresh browser history and check.)

Topic 3: Dynamic Range for Gauges: Example to Calculate Event Percentage and dynamically decide ranges for the gauge command

Splunk Gauge visualizations like Marker, Filler, Radial and provides gauge command to set various SLA ranges for aggregated data based on value (i.e. into green, yellow and red). Refer to Splunk Documentation: Gauge Command.

Dynamic Range.jpg

Following example uses Splunk's _internal index for various log_levels (INFO, WARN and ERROR). Only the count and Percentage of Warning events is used but others can also be depicted.

Step 1: Using stats command calculate total events and warning events:


   <query>index=_internal sourcetype=splunkd log_level=*
   | stats count(log_level) as total  count(eval(log_level="INFO")) as info count(eval(log_level="WARN")) as warn count(eval(log_level="ERROR")) as error</query>

Step 2: Using done search event handler assign the value of total and warning event counts to token


   <done>
     <condition match="$job.resultCount$==0">
       <set token="Total">0</set>
       <set token="Info">0</set>
       <set token="Warn">0</set>
       <set token="Error">0</set>
     </condition>
     <condition>
       <set token="Total">$result.total$</set>
       <set token="Info">$result.info$</set>
       <set token="Warn">$result.warn$</set>
       <set token="Error">$result.error$</set>
     </condition>
   </done>

Post 6.5 preview and finalized have been replaced with progress and done.

Search Event Handler Reference#done


Step 3: Query for Warnings Total section. Make use of $Warn$ token set in previous search as Gauge value. Also use $Total$ token for calculating various ranges in gauge.


   <query>| makeresults
   | eval warn=$Warn$
   | eval greenUpper=round($Total$*.70,0)
   | eval yellowUpper=round($Total$*.85,0)
   | gauge warn 0 greenUpper yellowUpper $Total$</query> 

Step 4: Query for Warnings (%) section. Make use of $Warn$ and $Total$ tokens for calculating percent. Use percent as gauge value and define various percent SLAs like 0-70% as Green 70-85% Yellow and 85-100% as Red.


   <query>| makeresults
   | eval infoPerc=round(($Warn$/$Total$)*100,1)
   | gauge infoPerc 0 70 85 100</query>

Topic 2: Overriding Chart Styles using CSS

Splunk uses Highcharts(JSChart) for plotting various charts i.e. Line, Column, Bar, Pie etc. Splunk exposes a lot of required chart properties in Simple XML through chart configurations. Refer to Chart configuration reference for the properties which are available in Simple XML.

However, there are some Highchart configurations like Label Font Size, and Data Label Colors etc. which can not be changed directly via Splunk Web Panel edit or Simple XML. Such display changes can be made via Simple XML CSS Extensions. The chart drawn through Highcharts is a Scalable Vector Graphics (SVG). In order to view DOM structure for Highcharts in Splunk we can use Web Browser's Inspection Tool (Shortcut- F12 Key). Following are some of the DOM nodes used for displaying charts:

Splunk Chart DOM elements.png

Following example shows how CSS can be used to override Font size for Highchart's axis labels and Color for Highchart's data labels. The !important CSS selector overrides existing style applied (refer to CSS Selector Reference on W3Schools. Save as YourFileName.css and place under $SPLUNK_HOME/etc/app/<YourAppName>/appserver/static folder. PS: Splunk restart and clearing of web browser's caches is required for the changes to take effect.

/* SVG Highcharts Data Labels color overridden to blue*/ g.highcharts-data-labels text {

   fill: blue !important;

}

/* SVG Highcharts x-axis label font size*/ g.highcharts-axis-labels.highcharts-xaxis-labels text{ font-size: 15px !important; }

/* SVG Highcharts y-axis label font size*/ g.highcharts-axis-labels.highcharts-yaxis-labels text{ font-size: 15px !important; }

PS: In order to include the custom style for Highcharts in the form/dashboard use stylesheet="<YourFileName>.css" in the first <dashboard> or <form> tag depending on the type of dashboard. For ex: <dashboard style="TestChartStyle.css">

Topic 1: Image Overlay with Icons Example: Extends Image Ovelay with Single Values example from Splunk 6.x Dashboard Examples Splunk App

This example extends the Image Overlay with Single Values example provided in the Splunk 6.x Dashboard Examples App. This example overlays data and icons on top of a base image to provide visual status of index queues. Image Overlay with icons.png

Files used for this example:

1) Simple XML source code for Dashboard (image_overlay_with_icons.xml)

2) CSS for Base Image and Overlay Image/Single Value Style (custom_layout_overlay_icon.css)

PS: Sourcecode.zip file contains both xml and css listed above: File:Sourcecode.zip

3) Background Image for Panel (splunk_indexing_pipeline.png) Splunk indexing pipeline.png

4) Four icon files for various queue status i.e

  (i) Green (icon_circle_check_green.png)Icon circle check green.png
  (ii) Yellow (icon_circle_exclaim_yellow.png)Icon circle exclaim yellow.png
  (iii) Red (icon_circle_cross_red.png)Icon circle cross red.png
  (iv) Grey (icon_circle_cross_grey.png)Icon circle cross grey.png
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk