All Apps and Add-ons

Topology Visualization : Message Format

New Member

Hi,
In order to achieve the Topology Visualization for my messages/alerts, Is there any specific message/fields that app is looking for? how the graph representing relationships between different nodes, is it automatic. Any documentation available ?

Thanks.

0 Karma
1 Solution

Legend

@dcmohann Network Topology Custom Visualization is a Custom Visualization built by Splunk Works which comes with an Example Dashboard which is fairly explanatory for expected input/s and settings.

It expects 5 columns Source, Source Type, Destination, Destination Type and the Link Type. You can plot Network Topology without Source Type and Destination Type and in fact no Link Type would also work but it will show Unlabeled link for such links as there will be no Link to Configure.

PS: Even if you have populated Links Types you would need to define links using Visualization Format option i.e. Color, Link Connection Style, Link Value and Display Label etc. Using Format option you can also configure Drilldown for nodes. There is a Dropdown to highlight specific Node depending on Node Type or Node Name (following screenshot highlights all the DBs)

alt text

Another option for you would be to use Simple Force Directed App for Splunk, also built by Splunk Works ;), which would just show connected between source and destination.

alt text
Following is a Sample Run any where dashboard which builds both the visualizations as illustrated in the screenshots. PS: Network Topology and Force Directed Custom Visualizations from Splunkbase for examples to work.

<dashboard>
  <label>Network Visualization</label>
  <row>
    <panel>
      <title>Network Topology Custom Visualization</title>
      <viz type="network_topology.network_topology">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table source sourceRole destination destinationRole linkType</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="network_topology.network_topology.drilldown">false</option>
        <option name="network_topology.network_topology.link1">prod</option>
        <option name="network_topology.network_topology.link1Color">#c00000</option>
        <option name="network_topology.network_topology.link1Dashed">false</option>
        <option name="network_topology.network_topology.link1Label">Production</option>
        <option name="network_topology.network_topology.link2">training</option>
        <option name="network_topology.network_topology.link2Color">#f1813f</option>
        <option name="network_topology.network_topology.link2Dashed">false</option>
        <option name="network_topology.network_topology.link2Label">Training</option>
        <option name="network_topology.network_topology.link3">dev</option>
        <option name="network_topology.network_topology.link3Color">#53a051</option>
        <option name="network_topology.network_topology.link3Dashed">false</option>
        <option name="network_topology.network_topology.link3Label">Development</option>
        <option name="network_topology.network_topology.link4">replication</option>
        <option name="network_topology.network_topology.link4Color">#595959</option>
        <option name="network_topology.network_topology.link4Dashed">true</option>
        <option name="network_topology.network_topology.link4Label">SQL Replication</option>
        <option name="network_topology.network_topology.link5">link5</option>
        <option name="network_topology.network_topology.link5Color">#c00000</option>
        <option name="network_topology.network_topology.link5Dashed">false</option>
        <option name="network_topology.network_topology.link5Label">Link 5</option>
        <option name="network_topology.network_topology.unfocusOpacity">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Force Directed Graph</title>
      <viz type="force_directed_viz.force_directed">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval count=1
| table source destination</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
        <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
        <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
        <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
        <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
        <option name="force_directed_viz.force_directed.ColorRange1">100</option>
        <option name="force_directed_viz.force_directed.ColorRange1Code">#65a637</option>
        <option name="force_directed_viz.force_directed.ColorRange2">500</option>
        <option name="force_directed_viz.force_directed.ColorRange2Code">#6db7c6</option>
        <option name="force_directed_viz.force_directed.ColorRange3">1000</option>
        <option name="force_directed_viz.force_directed.ColorRange3Code">#f7bc38</option>
        <option name="force_directed_viz.force_directed.ColorRange4">10000</option>
        <option name="force_directed_viz.force_directed.ColorRange4Code">#f58f39</option>
        <option name="force_directed_viz.force_directed.ColorRange5">1000000</option>
        <option name="force_directed_viz.force_directed.ColorRange5Code">#d93f3c</option>
        <option name="force_directed_viz.force_directed.ForceCollision">20</option>
        <option name="force_directed_viz.force_directed.LineColor">disabled</option>
        <option name="force_directed_viz.force_directed.LinkDistance">100</option>
        <option name="force_directed_viz.force_directed.LinkLength">1</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
        <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
        <option name="force_directed_viz.force_directed.StrokeWidth">1</option>
        <option name="force_directed_viz.force_directed.arrows">disabled</option>
        <option name="force_directed_viz.force_directed.circleSize">5</option>
        <option name="force_directed_viz.force_directed.panzoom">disabled</option>
        <option name="force_directed_viz.force_directed.theme">light</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Explorer

Has anyone been able to use drill down effectively with this package? The drill down provided in the example does not work.

0 Karma

Path Finder

I have tried to add it to a panel separately but seems to error out vs when it's in it's own separate dashboard(works perfectly). I used the same exact code. Just wondering if anyone experienced the same issues.

0 Karma

Legend

Could be because of some other issue. Are you still facing this? Do you have screenshot of JavaScript Console error if any?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Hey @niketnilay, not sure what I ended up doing with this issue honestly but I did bypass it.

Any thoughts on creating a link-type that states forwarding instead of just searching, clustering, or licensing?

0 Karma

Legend

Why not, it is controlled through SPL so linkType can be set to anything as long as your query is handling.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Engager

@niketnilay ,

We installed Dynatrace Splunk app and addon and most of the dashboards are able to pull data except the Topology Navigator view. Within this view, we are able to select the entity, link type and the entity to link but after hitting on submit button, we get an error "No matching visualization found for type: network_topology, in app: network_topology " Is there a custom visualization app that we need to add?

Also, can we confirm if this app is compatible with Splunk version 7.2.6? Splunkbase only mentions 7.0.0 so wanted to confirm.

0 Karma

Legend

@dcmohann Network Topology Custom Visualization is a Custom Visualization built by Splunk Works which comes with an Example Dashboard which is fairly explanatory for expected input/s and settings.

It expects 5 columns Source, Source Type, Destination, Destination Type and the Link Type. You can plot Network Topology without Source Type and Destination Type and in fact no Link Type would also work but it will show Unlabeled link for such links as there will be no Link to Configure.

PS: Even if you have populated Links Types you would need to define links using Visualization Format option i.e. Color, Link Connection Style, Link Value and Display Label etc. Using Format option you can also configure Drilldown for nodes. There is a Dropdown to highlight specific Node depending on Node Type or Node Name (following screenshot highlights all the DBs)

alt text

Another option for you would be to use Simple Force Directed App for Splunk, also built by Splunk Works ;), which would just show connected between source and destination.

alt text
Following is a Sample Run any where dashboard which builds both the visualizations as illustrated in the screenshots. PS: Network Topology and Force Directed Custom Visualizations from Splunkbase for examples to work.

<dashboard>
  <label>Network Visualization</label>
  <row>
    <panel>
      <title>Network Topology Custom Visualization</title>
      <viz type="network_topology.network_topology">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table source sourceRole destination destinationRole linkType</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="network_topology.network_topology.drilldown">false</option>
        <option name="network_topology.network_topology.link1">prod</option>
        <option name="network_topology.network_topology.link1Color">#c00000</option>
        <option name="network_topology.network_topology.link1Dashed">false</option>
        <option name="network_topology.network_topology.link1Label">Production</option>
        <option name="network_topology.network_topology.link2">training</option>
        <option name="network_topology.network_topology.link2Color">#f1813f</option>
        <option name="network_topology.network_topology.link2Dashed">false</option>
        <option name="network_topology.network_topology.link2Label">Training</option>
        <option name="network_topology.network_topology.link3">dev</option>
        <option name="network_topology.network_topology.link3Color">#53a051</option>
        <option name="network_topology.network_topology.link3Dashed">false</option>
        <option name="network_topology.network_topology.link3Label">Development</option>
        <option name="network_topology.network_topology.link4">replication</option>
        <option name="network_topology.network_topology.link4Color">#595959</option>
        <option name="network_topology.network_topology.link4Dashed">true</option>
        <option name="network_topology.network_topology.link4Label">SQL Replication</option>
        <option name="network_topology.network_topology.link5">link5</option>
        <option name="network_topology.network_topology.link5Color">#c00000</option>
        <option name="network_topology.network_topology.link5Dashed">false</option>
        <option name="network_topology.network_topology.link5Label">Link 5</option>
        <option name="network_topology.network_topology.unfocusOpacity">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Force Directed Graph</title>
      <viz type="force_directed_viz.force_directed">
        <search>
          <query>| makeresults
| fields - _time
| eval data="source=\"appserver_p_01\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"appserver_p_02\", sourceRole=\"Appserver\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_01\", destinationRole=\"DB\", linkType=\"prod\";
             source=\"sqlserver_p_01\", sourceRole=\"DB\", destination=\"sqlserver_p_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_t_01\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"appserver_t_02\", sourceRole=\"Appserver\", destination=\"sqlserver_t_01\", destinationRole=\"DB\", linkType=\"training\";
             source=\"sqlserver_t_01\", sourceRole=\"DB\", destination=\"sqlserver_t_02\", destinationRole=\"DB\", linkType=\"replication\";
             source=\"appserver_d_01\", sourceRole=\"Appserver\", destination=\"sqlserver_d_01\", destinationRole=\"DB\", linkType=\"dev\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| eval count=1
| table source destination</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
        <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
        <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
        <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
        <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
        <option name="force_directed_viz.force_directed.ColorRange1">100</option>
        <option name="force_directed_viz.force_directed.ColorRange1Code">#65a637</option>
        <option name="force_directed_viz.force_directed.ColorRange2">500</option>
        <option name="force_directed_viz.force_directed.ColorRange2Code">#6db7c6</option>
        <option name="force_directed_viz.force_directed.ColorRange3">1000</option>
        <option name="force_directed_viz.force_directed.ColorRange3Code">#f7bc38</option>
        <option name="force_directed_viz.force_directed.ColorRange4">10000</option>
        <option name="force_directed_viz.force_directed.ColorRange4Code">#f58f39</option>
        <option name="force_directed_viz.force_directed.ColorRange5">1000000</option>
        <option name="force_directed_viz.force_directed.ColorRange5Code">#d93f3c</option>
        <option name="force_directed_viz.force_directed.ForceCollision">20</option>
        <option name="force_directed_viz.force_directed.LineColor">disabled</option>
        <option name="force_directed_viz.force_directed.LinkDistance">100</option>
        <option name="force_directed_viz.force_directed.LinkLength">1</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
        <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
        <option name="force_directed_viz.force_directed.StrokeWidth">1</option>
        <option name="force_directed_viz.force_directed.arrows">disabled</option>
        <option name="force_directed_viz.force_directed.circleSize">5</option>
        <option name="force_directed_viz.force_directed.panzoom">disabled</option>
        <option name="force_directed_viz.force_directed.theme">light</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Thanks for the above sample @niketnilay. I have a small query, is there a way to make position of nodes static in the Network Topology Custom Visualization graph ? It gets all messed up on every refresh.

Thanks.

Path Finder

@hellosandeep123, i've wondered the same but I don't think so unless you edits the JS directly.

0 Karma

Legend

Since it is Force Directed Graph, you can set several parameters to define collision etc as per your needs.

     <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
     <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
     <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
     <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
     <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
     <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
     <option name="force_directed_viz.force_directed.ForceCollision">20</option>
     <option name="force_directed_viz.force_directed.LinkDistance">100</option>
     <option name="force_directed_viz.force_directed.LinkLength">1</option>
     <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
     <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
     <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Thanks a lot @niketnilay, your example rocks. It would be helpful for me like beginners, if these kind of examples are attached on Network Topology page itself. I was looking for Network Topology and it exactly matches my need. I hope there no limitation on number of nodes and it would work with at least 20.

Also is there a any way, can i customize and have the label on top the arrow. For example, I am planning to have cpu / memory utilization etc... value as a label.

0 Karma

Legend

@dcmohan, I would have to look into code myself or @michaellin Author of the App should confirm whether there is any limitation on number of nodes. I dont expect so since this visualization is on top of Force Directed Graph.

For the Arrow related label, it is displayed on Top Left as Legends not on the arrow themselves.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!