All Apps and Add-ons

Topology Visualization : Message Format

dcmohann
New Member

Hi,
In order to achieve the Topology Visualization for my messages/alerts, Is there any specific message/fields that app is looking for? how the graph representing relationships between different nodes, is it automatic. Any documentation available ?

Thanks.

0 Karma
1 Solution

niketn
Legend

@dcmohann Network Topology Custom Visualization is a Custom Visualization built by Splunk Works which comes with an Example Dashboard which is fairly explanatory for expected input/s and settings.

It expects 5 columns Source, Source Type, Destination, Destination Type and the Link Type. You can plot Network Topology without Source Type and Destination Type and in fact no Link Type would also work but it will show Unlabeled link for such links as there will be no Link to Configure.

PS: Even if you have populated Links Types you would need to define links using Visualization Format option i.e. Color, Link Connection Style, Link Value and Display Label etc. Using Format option you can also configure Drilldown for nodes. There is a Dropdown to highlight specific Node depending on Node Type or Node Name (following screenshot highlights all the DBs)

alt text

Another option for you would be to use Simple Force Directed App for Splunk, also built by Splunk Works ;), which would just show connected between source and destination.

alt text
Following is a Sample Run any where dashboard which builds both the visualizations as illustrated in the screenshots. PS: Network Topology and Force Directed Custom Visualizations from Splunkbase for examples to work.

<dashboard>
  <label>Network Visualization</label>
  <row>
    <panel>
      <title>Network Topology Custom Visualization</title>
      <viz type="network_topology.network_topology">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table source sourceRole destination destinationRole linkType</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="network_topology.network_topology.drilldown">false</option>
        <option name="network_topology.network_topology.link1">prod</option>
        <option name="network_topology.network_topology.link1Color">#c00000</option>
        <option name="network_topology.network_topology.link1Dashed">false</option>
        <option name="network_topology.network_topology.link1Label">Production</option>
        <option name="network_topology.network_topology.link2">training</option>
        <option name="network_topology.network_topology.link2Color">#f1813f</option>
        <option name="network_topology.network_topology.link2Dashed">false</option>
        <option name="network_topology.network_topology.link2Label">Training</option>
        <option name="network_topology.network_topology.link3">dev</option>
        <option name="network_topology.network_topology.link3Color">#53a051</option>
        <option name="network_topology.network_topology.link3Dashed">false</option>
        <option name="network_topology.network_topology.link3Label">Development</option>
        <option name="network_topology.network_topology.link4">replication</option>
        <option name="network_topology.network_topology.link4Color">#595959</option>
        <option name="network_topology.network_topology.link4Dashed">true</option>
        <option name="network_topology.network_topology.link4Label">SQL Replication</option>
        <option name="network_topology.network_topology.link5">link5</option>
        <option name="network_topology.network_topology.link5Color">#c00000</option>
        <option name="network_topology.network_topology.link5Dashed">false</option>
        <option name="network_topology.network_topology.link5Label">Link 5</option>
        <option name="network_topology.network_topology.unfocusOpacity">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Force Directed Graph</title>
      <viz type="force_directed_viz.force_directed">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval count=1
| table source destination</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
        <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
        <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
        <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
        <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
        <option name="force_directed_viz.force_directed.ColorRange1">100</option>
        <option name="force_directed_viz.force_directed.ColorRange1Code">#65a637</option>
        <option name="force_directed_viz.force_directed.ColorRange2">500</option>
        <option name="force_directed_viz.force_directed.ColorRange2Code">#6db7c6</option>
        <option name="force_directed_viz.force_directed.ColorRange3">1000</option>
        <option name="force_directed_viz.force_directed.ColorRange3Code">#f7bc38</option>
        <option name="force_directed_viz.force_directed.ColorRange4">10000</option>
        <option name="force_directed_viz.force_directed.ColorRange4Code">#f58f39</option>
        <option name="force_directed_viz.force_directed.ColorRange5">1000000</option>
        <option name="force_directed_viz.force_directed.ColorRange5Code">#d93f3c</option>
        <option name="force_directed_viz.force_directed.ForceCollision">20</option>
        <option name="force_directed_viz.force_directed.LineColor">disabled</option>
        <option name="force_directed_viz.force_directed.LinkDistance">100</option>
        <option name="force_directed_viz.force_directed.LinkLength">1</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
        <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
        <option name="force_directed_viz.force_directed.StrokeWidth">1</option>
        <option name="force_directed_viz.force_directed.arrows">disabled</option>
        <option name="force_directed_viz.force_directed.circleSize">5</option>
        <option name="force_directed_viz.force_directed.panzoom">disabled</option>
        <option name="force_directed_viz.force_directed.theme">light</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

GOB_Bluth
Explorer

Has anyone been able to use drill down effectively with this package? The drill down provided in the example does not work.

0 Karma

Sahr_Lebbie
Path Finder

I have tried to add it to a panel separately but seems to error out vs when it's in it's own separate dashboard(works perfectly). I used the same exact code. Just wondering if anyone experienced the same issues.

0 Karma

niketn
Legend

Could be because of some other issue. Are you still facing this? Do you have screenshot of JavaScript Console error if any?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Sahr_Lebbie
Path Finder

Hey @niketnilay, not sure what I ended up doing with this issue honestly but I did bypass it.

Any thoughts on creating a link-type that states forwarding instead of just searching, clustering, or licensing?

0 Karma

niketn
Legend

Why not, it is controlled through SPL so linkType can be set to anything as long as your query is handling.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

medavenu
Engager

@niketn ,

We installed Dynatrace Splunk app and addon and most of the dashboards are able to pull data except the Topology Navigator view. Within this view, we are able to select the entity, link type and the entity to link but after hitting on submit button, we get an error "No matching visualization found for type: network_topology, in app: network_topology " Is there a custom visualization app that we need to add?

Also, can we confirm if this app is compatible with Splunk version 7.2.6? Splunkbase only mentions 7.0.0 so wanted to confirm.

0 Karma

niketn
Legend

@dcmohann Network Topology Custom Visualization is a Custom Visualization built by Splunk Works which comes with an Example Dashboard which is fairly explanatory for expected input/s and settings.

It expects 5 columns Source, Source Type, Destination, Destination Type and the Link Type. You can plot Network Topology without Source Type and Destination Type and in fact no Link Type would also work but it will show Unlabeled link for such links as there will be no Link to Configure.

PS: Even if you have populated Links Types you would need to define links using Visualization Format option i.e. Color, Link Connection Style, Link Value and Display Label etc. Using Format option you can also configure Drilldown for nodes. There is a Dropdown to highlight specific Node depending on Node Type or Node Name (following screenshot highlights all the DBs)

alt text

Another option for you would be to use Simple Force Directed App for Splunk, also built by Splunk Works ;), which would just show connected between source and destination.

alt text
Following is a Sample Run any where dashboard which builds both the visualizations as illustrated in the screenshots. PS: Network Topology and Force Directed Custom Visualizations from Splunkbase for examples to work.

<dashboard>
  <label>Network Visualization</label>
  <row>
    <panel>
      <title>Network Topology Custom Visualization</title>
      <viz type="network_topology.network_topology">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table source sourceRole destination destinationRole linkType</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="network_topology.network_topology.drilldown">false</option>
        <option name="network_topology.network_topology.link1">prod</option>
        <option name="network_topology.network_topology.link1Color">#c00000</option>
        <option name="network_topology.network_topology.link1Dashed">false</option>
        <option name="network_topology.network_topology.link1Label">Production</option>
        <option name="network_topology.network_topology.link2">training</option>
        <option name="network_topology.network_topology.link2Color">#f1813f</option>
        <option name="network_topology.network_topology.link2Dashed">false</option>
        <option name="network_topology.network_topology.link2Label">Training</option>
        <option name="network_topology.network_topology.link3">dev</option>
        <option name="network_topology.network_topology.link3Color">#53a051</option>
        <option name="network_topology.network_topology.link3Dashed">false</option>
        <option name="network_topology.network_topology.link3Label">Development</option>
        <option name="network_topology.network_topology.link4">replication</option>
        <option name="network_topology.network_topology.link4Color">#595959</option>
        <option name="network_topology.network_topology.link4Dashed">true</option>
        <option name="network_topology.network_topology.link4Label">SQL Replication</option>
        <option name="network_topology.network_topology.link5">link5</option>
        <option name="network_topology.network_topology.link5Color">#c00000</option>
        <option name="network_topology.network_topology.link5Dashed">false</option>
        <option name="network_topology.network_topology.link5Label">Link 5</option>
        <option name="network_topology.network_topology.unfocusOpacity">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Force Directed Graph</title>
      <viz type="force_directed_viz.force_directed">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval count=1
| table source destination</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
        <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
        <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
        <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
        <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
        <option name="force_directed_viz.force_directed.ColorRange1">100</option>
        <option name="force_directed_viz.force_directed.ColorRange1Code">#65a637</option>
        <option name="force_directed_viz.force_directed.ColorRange2">500</option>
        <option name="force_directed_viz.force_directed.ColorRange2Code">#6db7c6</option>
        <option name="force_directed_viz.force_directed.ColorRange3">1000</option>
        <option name="force_directed_viz.force_directed.ColorRange3Code">#f7bc38</option>
        <option name="force_directed_viz.force_directed.ColorRange4">10000</option>
        <option name="force_directed_viz.force_directed.ColorRange4Code">#f58f39</option>
        <option name="force_directed_viz.force_directed.ColorRange5">1000000</option>
        <option name="force_directed_viz.force_directed.ColorRange5Code">#d93f3c</option>
        <option name="force_directed_viz.force_directed.ForceCollision">20</option>
        <option name="force_directed_viz.force_directed.LineColor">disabled</option>
        <option name="force_directed_viz.force_directed.LinkDistance">100</option>
        <option name="force_directed_viz.force_directed.LinkLength">1</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
        <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
        <option name="force_directed_viz.force_directed.StrokeWidth">1</option>
        <option name="force_directed_viz.force_directed.arrows">disabled</option>
        <option name="force_directed_viz.force_directed.circleSize">5</option>
        <option name="force_directed_viz.force_directed.panzoom">disabled</option>
        <option name="force_directed_viz.force_directed.theme">light</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

hellosandeep123
Engager

Thanks for the above sample @niketnilay. I have a small query, is there a way to make position of nodes static in the Network Topology Custom Visualization graph ? It gets all messed up on every refresh.

Thanks.

Sahr_Lebbie
Path Finder

@hellosandeep123, i've wondered the same but I don't think so unless you edits the JS directly.

0 Karma

niketn
Legend

Since it is Force Directed Graph, you can set several parameters to define collision etc as per your needs.

     <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
     <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
     <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
     <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
     <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
     <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
     <option name="force_directed_viz.force_directed.ForceCollision">20</option>
     <option name="force_directed_viz.force_directed.LinkDistance">100</option>
     <option name="force_directed_viz.force_directed.LinkLength">1</option>
     <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
     <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
     <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

dcmohann
New Member

Thanks a lot @niketnilay, your example rocks. It would be helpful for me like beginners, if these kind of examples are attached on Network Topology page itself. I was looking for Network Topology and it exactly matches my need. I hope there no limitation on number of nodes and it would work with at least 20.

Also is there a any way, can i customize and have the label on top the arrow. For example, I am planning to have cpu / memory utilization etc... value as a label.

0 Karma

niketn
Legend

@dcmohan, I would have to look into code myself or @michaellin Author of the App should confirm whether there is any limitation on number of nodes. I dont expect so since this visualization is on top of Force Directed Graph.

For the Arrow related label, it is displayed on Top Left as Legends not on the arrow themselves.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...