Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a dashboard?

hiepdv4
New Member
‎08-16-2018 08:40 PM

alt text

Dear all.

I need to create a Dashboard same as this picture.
I do not use Splunk App for AWS.
I want to display the format as a fraction result (Total login / Error Login).

Thanks

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 11:11 PM

@hiepdv4 you can use one of the following options depending on your Expertise

1) HTML Panel with Custom Decoration (refer to Splunk Dashboard Examples App)
2) Single Value built in visualization or
3) Status Indicator Custom Visualization

I am adding a run anywhere example in line with <html> panel i.e. option 1 but using SVG (Scalable Vector Graphic). You can adjust to any other method like using only html nodes with CSS style, Canvas etc.

alt text
In the dashboard I have used two independent searches i.e. search without view to set the required token for values and respective colors based on some cooked up SLA (you can use yours). I have used Search Event Handler <done> with<eval> to set these tokens and later used them in <svg> added to <html> panel.
PS: Simple XML CSS extension has been applied using <style> section and sometimes inline to svg elements.
Splunk's _internal index has been used to generate some cooked up numbers to be displayed. Please replace with your actual queries.

Following is the Simple XML Code, Please try out and confirm:

<dashboard>
  <label>User Activity</label>
  <!-- Independent Search for Activity Error -->
  <search>
    <query>index="_internal" sourcetype=splunkd_ui_access status=*
| stats count as Total count(eval(status!="200")) as Error</query>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$!=0">
        <eval token="tokTotal">if(isnull($result.Total$) OR ($result.Total$==0),0,$result.Total$)</eval>
        <eval token="tokTotalColor">case($tokTotal$>0,"black",true(),"red")</eval>
        <eval token="tokError">if(isnull($result.Error$) OR ($result.Error$==0),0,$result.Error$)</eval>
        <eval token="tokErrorColor">case($tokError$==0,"green",$tokError$>0 AND $tokError$<=10,"orange",$tokError$>10,"red",true(),"grey")</eval>
      </condition>
      <condition>
        <set token="tokTotal">0</set>
        <set token="tokError">0</set>
        <set token="tokTotalColor">red</set>
        <set token="tokErrorColor">grey</set>
      </condition>
    </done>
  </search>
  <!-- Independent Search for Method Count -->
  <search>
    <query>index="_internal" sourcetype=splunkd_ui_access method=*
| stats count as Total count(eval(method!="POST")) as Post</query>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$!=0">
        <eval token="tokTotalMethod">if(isnull($result.Total$) OR ($result.Total$==0),0,$result.Total$)</eval>
        <eval token="tokTotalMethodColor">case($tokTotalMethod$>0,"black",true(),"red")</eval>
        <eval token="tokPost">if(isnull($result.Post$) OR ($result.Post$==0),0,$result.Post$)</eval>
        <eval token="tokPostColor">case($tokPost$==0,"green",$tokPost$>0 AND $tokPost$<=10,"orange",$tokPost$>10,"red",true(),"grey")</eval>
      </condition>
      <condition>
        <set token="tokTotalMethod">0</set>
        <set token="tokPost">0</set>
        <set token="tokTotalMethodColor">red</set>
        <set token="tokPostColor">grey</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <title>Activity Error</title>
      <html>
          <style>
            svg{
              position: relative;
              left: 30%;
            }
            svg text,svg line{
              font-weight:bold;
              font-size:200%;
            }
            h2.panel-title {
              background: grey;
              color: white;
              font-weight: bold;
              text-align: center;            
            }
          </style>
          <div>
            <svg>
              <text x="10" y="20" fill="$tokTotalColor$">$tokTotal$</text>
              <line x1="10" y1="30" x2="80" y2="30" style="stroke:black;stroke-width:2"/>
              <text x="10" y="50" fill="$tokErrorColor$">$tokError$</text>
            </svg>
          </div>
      </html>
    </panel>
    <panel>
      <title>Method Error</title>
      <html>
          <div>
            <svg>
              <text x="10" y="20" fill="$tokTotalMethodColor$">$tokTotalMethod$</text>
              <line x1="10" y1="30" x2="80" y2="30" style="stroke:black;stroke-width:2"/>
              <text x="10" y="50" fill="$tokPostColor$">$tokPost$</text>
            </svg>
          </div>
      </html>
    </panel>
    <panel>
      <title>Activity Stats</title>
      <table>
        <search>
          <query>index="_internal" sourcetype=splunkd_ui_access status=*
        | stats count by status</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
    <panel>
      <title>Method Stats</title>
      <table>
        <search>
          <query>index="_internal" sourcetype=splunkd_ui_access method=*
        | stats count by method</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

hiepdv4
New Member
‎08-17-2018 02:33 AM

Dear Niket Nilay

Sorry for bother you.
I have issue at line 15
Please support me.
P.S: I'm sorry, I newbie
alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

pal_sumit1
Path Finder
‎08-17-2018 04:11 AM

@hiepdv4
keep below eval in place of that.

 <eval token="tokErrorColor"> case($tokError$==0,"green",($tokError$&gt;0 AND $tokError$&lt;=10),"orange",$tokError$>10,"red",true(),"grey")</eval>
       <eval token="tokPostColor">case($tokPost$==0,"green",$tokPost$&gt;0 AND $tokPost$&lt;=10,"orange",$tokPost$&gt;10,"red",true(),"grey")</eval>
Reply
Solved! Jump to solution

niketn
Legend
‎08-17-2018 07:02 AM

@hiepdv4 , as mentioned by @pal_sumit1, you would need to escape less than < and greater than > characters in Simple XML code using XML Escape characters i.e. & lt ; and & gt ;. Splunk Answer replaces them with original character instead of escape characters. (I have added spaces due to the same)

https://www.advancedinstaller.com/user-guide/xml-escaped-chars.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 11:11 PM

@hiepdv4 you can use one of the following options depending on your Expertise

1) HTML Panel with Custom Decoration (refer to Splunk Dashboard Examples App)
2) Single Value built in visualization or
3) Status Indicator Custom Visualization

I am adding a run anywhere example in line with <html> panel i.e. option 1 but using SVG (Scalable Vector Graphic). You can adjust to any other method like using only html nodes with CSS style, Canvas etc.

alt text
In the dashboard I have used two independent searches i.e. search without view to set the required token for values and respective colors based on some cooked up SLA (you can use yours). I have used Search Event Handler <done> with<eval> to set these tokens and later used them in <svg> added to <html> panel.
PS: Simple XML CSS extension has been applied using <style> section and sometimes inline to svg elements.
Splunk's _internal index has been used to generate some cooked up numbers to be displayed. Please replace with your actual queries.

Following is the Simple XML Code, Please try out and confirm:

<dashboard>
  <label>User Activity</label>
  <!-- Independent Search for Activity Error -->
  <search>
    <query>index="_internal" sourcetype=splunkd_ui_access status=*
| stats count as Total count(eval(status!="200")) as Error</query>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$!=0">
        <eval token="tokTotal">if(isnull($result.Total$) OR ($result.Total$==0),0,$result.Total$)</eval>
        <eval token="tokTotalColor">case($tokTotal$>0,"black",true(),"red")</eval>
        <eval token="tokError">if(isnull($result.Error$) OR ($result.Error$==0),0,$result.Error$)</eval>
        <eval token="tokErrorColor">case($tokError$==0,"green",$tokError$>0 AND $tokError$<=10,"orange",$tokError$>10,"red",true(),"grey")</eval>
      </condition>
      <condition>
        <set token="tokTotal">0</set>
        <set token="tokError">0</set>
        <set token="tokTotalColor">red</set>
        <set token="tokErrorColor">grey</set>
      </condition>
    </done>
  </search>
  <!-- Independent Search for Method Count -->
  <search>
    <query>index="_internal" sourcetype=splunkd_ui_access method=*
| stats count as Total count(eval(method!="POST")) as Post</query>
    <earliest>-60m@m</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$!=0">
        <eval token="tokTotalMethod">if(isnull($result.Total$) OR ($result.Total$==0),0,$result.Total$)</eval>
        <eval token="tokTotalMethodColor">case($tokTotalMethod$>0,"black",true(),"red")</eval>
        <eval token="tokPost">if(isnull($result.Post$) OR ($result.Post$==0),0,$result.Post$)</eval>
        <eval token="tokPostColor">case($tokPost$==0,"green",$tokPost$>0 AND $tokPost$<=10,"orange",$tokPost$>10,"red",true(),"grey")</eval>
      </condition>
      <condition>
        <set token="tokTotalMethod">0</set>
        <set token="tokPost">0</set>
        <set token="tokTotalMethodColor">red</set>
        <set token="tokPostColor">grey</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <title>Activity Error</title>
      <html>
          <style>
            svg{
              position: relative;
              left: 30%;
            }
            svg text,svg line{
              font-weight:bold;
              font-size:200%;
            }
            h2.panel-title {
              background: grey;
              color: white;
              font-weight: bold;
              text-align: center;            
            }
          </style>
          <div>
            <svg>
              <text x="10" y="20" fill="$tokTotalColor$">$tokTotal$</text>
              <line x1="10" y1="30" x2="80" y2="30" style="stroke:black;stroke-width:2"/>
              <text x="10" y="50" fill="$tokErrorColor$">$tokError$</text>
            </svg>
          </div>
      </html>
    </panel>
    <panel>
      <title>Method Error</title>
      <html>
          <div>
            <svg>
              <text x="10" y="20" fill="$tokTotalMethodColor$">$tokTotalMethod$</text>
              <line x1="10" y1="30" x2="80" y2="30" style="stroke:black;stroke-width:2"/>
              <text x="10" y="50" fill="$tokPostColor$">$tokPost$</text>
            </svg>
          </div>
      </html>
    </panel>
    <panel>
      <title>Activity Stats</title>
      <table>
        <search>
          <query>index="_internal" sourcetype=splunkd_ui_access status=*
        | stats count by status</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
    <panel>
      <title>Method Stats</title>
      <table>
        <search>
          <query>index="_internal" sourcetype=splunkd_ui_access method=*
        | stats count by method</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-04-2018 01:01 AM

If you are planning to use SVG it might also be worth considering "Scalable Vector Graphics - Custom Visualization" app https://splunkbase.splunk.com/app/3815/

It contains few examples of passing tokens into SVG.

Reply
Solved! Jump to solution

niketn
Legend
‎09-04-2018 01:55 AM

@msivill I did point it out in one of my comments above. Great app for integrating SVG 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-04-2018 01:59 AM

Doh, I missed your comment. Thanks for the shout-out.

0 Karma
Reply
Solved! Jump to solution

hiepdv4
New Member
‎08-17-2018 02:34 AM

Dear Niket Nilay

I have feedback to you below.
Please support me check it
Thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-18-2018 10:14 PM

@hiepdv4, just wanted to add that SVG can be displayed using SPL in splunk panel using Scalable Vector Graphics - Custom Visualization also.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...