Archive

Can you visualize text in Splunk?

Explorer

I am trying to see if I can visualize text in splunk. For example, I have results showing a build going through multiple environments and I want to show it graphically.

Build ID    Path
1.0.0        production
                test
               qa
1.0.1    production
             qa

is it possible at all?

Tags (1)
0 Karma
1 Solution

Super Champion

how about something like this? visualized in a column chart

|makeresults|eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa"|makemv data|mvexpand data|rename data as _raw|kv|table build env|eval {env}=1|fields - env|stats values(*) as * by build

View solution in original post

SplunkTrust
SplunkTrust

@askarkz extending @cmerriman 's example there are several Custom Visualizations that can be used to plot this kind of mapping like Sankey Diagram, Parallel Coordinates, Force Directed Graph. Refer to one of my older answers: https://answers.splunk.com/answers/686428/how-do-you-create-a-dashboard-with-dependencies-be.html

alt text

Following is a run anywhere example code for the attached mockup (It depends on Sankey Diagram Custom Visualization, Parallel Coordinates Custom Visualization, Force Directed App for Splunk and Network Topology - Custom Visualization for the example to work.):

<dashboard>
  <label>Release Control</label>
  <row>
    <panel>
      <html>
        <!-- CSS Style override for Sankey -->
        <style>
          g[data-shape-name="1. Test"] rect{
            fill: rgb(83, 160, 81) !important;
          }
          g[data-shape-name="2. QA"] rect{
            fill: rgb(241, 129, 63) !important;
          }
          g[data-shape-name="3. Production"] rect{
            fill: rgb(192, 0, 0) !important;
          }
          g[data-shape-name="4. Unknown"] rect{
            fill: grey !important;
          }
        </style>
        <div>
          <h3>Versions Environment Mapping</h3>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <viz type="sankey_diagram_app.sankey_diagram">
        <title>Sankey Diagram</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env
| eval env=case(env=="test","1. Test",env=="qa","2. QA",env=="prod","3. Production",true(),"4. Unknown")
| eventstats count by build env
| sort env</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">320</option>
        <option name="refresh.display">progressbar</option>
        <option name="sankey_diagram_app.sankey_diagram.colorMode">categorical</option>
        <option name="sankey_diagram_app.sankey_diagram.maxColor">#3fc77a</option>
        <option name="sankey_diagram_app.sankey_diagram.minColor">#d93f3c</option>
        <option name="sankey_diagram_app.sankey_diagram.numOfBins">6</option>
        <option name="sankey_diagram_app.sankey_diagram.showBackwards">false</option>
        <option name="sankey_diagram_app.sankey_diagram.showLabels">true</option>
        <option name="sankey_diagram_app.sankey_diagram.showLegend">true</option>
        <option name="sankey_diagram_app.sankey_diagram.showSelf">false</option>
        <option name="sankey_diagram_app.sankey_diagram.showTooltip">true</option>
        <option name="sankey_diagram_app.sankey_diagram.styleBackwards">false</option>
        <option name="sankey_diagram_app.sankey_diagram.useColors">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <viz type="parallel_coordinates_app.parallel_coordinates">
        <title>Parallel Coordinates</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="parallel_coordinates_app.parallel_coordinates.colorMode">categorical</option>
        <option name="parallel_coordinates_app.parallel_coordinates.hideTicks">false</option>
        <option name="parallel_coordinates_app.parallel_coordinates.maxCategories">25</option>
        <option name="parallel_coordinates_app.parallel_coordinates.maxColor">#3fc77a</option>
        <option name="parallel_coordinates_app.parallel_coordinates.minColor">#d93f3c</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <viz type="force_directed_viz.force_directed">
        <title>Force-Directed Graph</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env
| eventstats count by build env</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
        <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
        <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
        <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
        <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
        <option name="force_directed_viz.force_directed.ColorRange1">100</option>
        <option name="force_directed_viz.force_directed.ColorRange1Code">#65a637</option>
        <option name="force_directed_viz.force_directed.ColorRange2">500</option>
        <option name="force_directed_viz.force_directed.ColorRange2Code">#6db7c6</option>
        <option name="force_directed_viz.force_directed.ColorRange3">1000</option>
        <option name="force_directed_viz.force_directed.ColorRange3Code">#f7bc38</option>
        <option name="force_directed_viz.force_directed.ColorRange4">10000</option>
        <option name="force_directed_viz.force_directed.ColorRange4Code">#f58f39</option>
        <option name="force_directed_viz.force_directed.ColorRange5">1000000</option>
        <option name="force_directed_viz.force_directed.ColorRange5Code">#d93f3c</option>
        <option name="force_directed_viz.force_directed.ForceCollision">20</option>
        <option name="force_directed_viz.force_directed.LineColor">disabled</option>
        <option name="force_directed_viz.force_directed.LinkDistance">100</option>
        <option name="force_directed_viz.force_directed.LinkLength">1</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
        <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
        <option name="force_directed_viz.force_directed.StrokeWidth">1</option>
        <option name="force_directed_viz.force_directed.arrows">disabled</option>
        <option name="force_directed_viz.force_directed.circleSize">5</option>
        <option name="force_directed_viz.force_directed.panzoom">disabled</option>
        <option name="force_directed_viz.force_directed.theme">light</option>
        <option name="height">320</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <viz type="network_topology.network_topology">
        <title>Network Topology For Splunk</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env
| rename build as source, env as linkType
| eval sourceRole="Build", destination=linkType, destinationRole="Env"
| table source sourceRole destination destinationRole linkType</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">385</option>
        <option name="network_topology.network_topology.drilldown">false</option>
        <option name="network_topology.network_topology.link1">test</option>
        <option name="network_topology.network_topology.link1Color">#53a051</option>
        <option name="network_topology.network_topology.link1Dashed">true</option>
        <option name="network_topology.network_topology.link1Label">Test</option>
        <option name="network_topology.network_topology.link2">qa</option>
        <option name="network_topology.network_topology.link2Color">#f1813f</option>
        <option name="network_topology.network_topology.link2Dashed">true</option>
        <option name="network_topology.network_topology.link2Label">QA</option>
        <option name="network_topology.network_topology.link3">prod</option>
        <option name="network_topology.network_topology.link3Color">#c00000</option>
        <option name="network_topology.network_topology.link3Dashed">false</option>
        <option name="network_topology.network_topology.link3Label">Production</option>
        <option name="network_topology.network_topology.link4">link4</option>
        <option name="network_topology.network_topology.link4Color">#a5a5a5</option>
        <option name="network_topology.network_topology.link4Dashed">true</option>
        <option name="network_topology.network_topology.link4Label">Link 4</option>
        <option name="network_topology.network_topology.link5">link5</option>
        <option name="network_topology.network_topology.link5Color">#c00000</option>
        <option name="network_topology.network_topology.link5Dashed">false</option>
        <option name="network_topology.network_topology.link5Label">Link 5</option>
        <option name="network_topology.network_topology.unfocusOpacity">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Explorer

thank you for your response. I tried the sankey diagram before posting the question and did not make it work. will look at your post and try again

0 Karma

Explorer

I am floored with what you put together. thank you. so much to learn

SplunkTrust
SplunkTrust

@askarkz glad you found it useful! Do up vote the answer if it helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Super Champion

how about something like this? visualized in a column chart

|makeresults|eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa"|makemv data|mvexpand data|rename data as _raw|kv|table build env|eval {env}=1|fields - env|stats values(*) as * by build

View solution in original post

Explorer

thank you for the response! will try it today

0 Karma

Explorer

it works! awesome. so much to learn about Splunk

0 Karma