Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you visualize text in Splunk?

askarkz
Explorer
‎12-17-2018 02:08 PM

I am trying to see if I can visualize text in splunk. For example, I have results showing a build going through multiple environments and I want to show it graphically.

Build ID    Path
1.0.0        production
                test
               qa
1.0.1    production
             qa

is it possible at all?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎12-17-2018 06:52 PM

how about something like this? visualized in a column chart

|makeresults|eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa"|makemv data|mvexpand data|rename data as _raw|kv|table build env|eval {env}=1|fields - env|stats values(*) as * by build

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎12-18-2018 12:15 AM

@askarkz extending @cmerriman 's example there are several Custom Visualizations that can be used to plot this kind of mapping like Sankey Diagram, Parallel Coordinates, Force Directed Graph. Refer to one of my older answers: https://answers.splunk.com/answers/686428/how-do-you-create-a-dashboard-with-dependencies-be.html

alt text

Following is a run anywhere example code for the attached mockup (It depends on Sankey Diagram Custom Visualization, Parallel Coordinates Custom Visualization, Force Directed App for Splunk and Network Topology - Custom Visualization for the example to work.):

<dashboard>
  <label>Release Control</label>
  <row>
    <panel>
      <html>
        <!-- CSS Style override for Sankey -->
        <style>
          g[data-shape-name="1. Test"] rect{
            fill: rgb(83, 160, 81) !important;
          }
          g[data-shape-name="2. QA"] rect{
            fill: rgb(241, 129, 63) !important;
          }
          g[data-shape-name="3. Production"] rect{
            fill: rgb(192, 0, 0) !important;
          }
          g[data-shape-name="4. Unknown"] rect{
            fill: grey !important;
          }
        </style>
        <div>
          <h3>Versions Environment Mapping</h3>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <viz type="sankey_diagram_app.sankey_diagram">
        <title>Sankey Diagram</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env
| eval env=case(env=="test","1. Test",env=="qa","2. QA",env=="prod","3. Production",true(),"4. Unknown")
| eventstats count by build env
| sort env</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">320</option>
        <option name="refresh.display">progressbar</option>
        <option name="sankey_diagram_app.sankey_diagram.colorMode">categorical</option>
        <option name="sankey_diagram_app.sankey_diagram.maxColor">#3fc77a</option>
        <option name="sankey_diagram_app.sankey_diagram.minColor">#d93f3c</option>
        <option name="sankey_diagram_app.sankey_diagram.numOfBins">6</option>
        <option name="sankey_diagram_app.sankey_diagram.showBackwards">false</option>
        <option name="sankey_diagram_app.sankey_diagram.showLabels">true</option>
        <option name="sankey_diagram_app.sankey_diagram.showLegend">true</option>
        <option name="sankey_diagram_app.sankey_diagram.showSelf">false</option>
        <option name="sankey_diagram_app.sankey_diagram.showTooltip">true</option>
        <option name="sankey_diagram_app.sankey_diagram.styleBackwards">false</option>
        <option name="sankey_diagram_app.sankey_diagram.useColors">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <viz type="parallel_coordinates_app.parallel_coordinates">
        <title>Parallel Coordinates</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="parallel_coordinates_app.parallel_coordinates.colorMode">categorical</option>
        <option name="parallel_coordinates_app.parallel_coordinates.hideTicks">false</option>
        <option name="parallel_coordinates_app.parallel_coordinates.maxCategories">25</option>
        <option name="parallel_coordinates_app.parallel_coordinates.maxColor">#3fc77a</option>
        <option name="parallel_coordinates_app.parallel_coordinates.minColor">#d93f3c</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
    <panel>
      <viz type="force_directed_viz.force_directed">
        <title>Force-Directed Graph</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env
| eventstats count by build env</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMax">200</option>
        <option name="force_directed_viz.force_directed.AttractDistanceMin">60</option>
        <option name="force_directed_viz.force_directed.AttractForceStrength">-300</option>
        <option name="force_directed_viz.force_directed.CollisionIterations">1</option>
        <option name="force_directed_viz.force_directed.CollisionRadius">20</option>
        <option name="force_directed_viz.force_directed.CollisionStrength">0.7</option>
        <option name="force_directed_viz.force_directed.ColorRange1">100</option>
        <option name="force_directed_viz.force_directed.ColorRange1Code">#65a637</option>
        <option name="force_directed_viz.force_directed.ColorRange2">500</option>
        <option name="force_directed_viz.force_directed.ColorRange2Code">#6db7c6</option>
        <option name="force_directed_viz.force_directed.ColorRange3">1000</option>
        <option name="force_directed_viz.force_directed.ColorRange3Code">#f7bc38</option>
        <option name="force_directed_viz.force_directed.ColorRange4">10000</option>
        <option name="force_directed_viz.force_directed.ColorRange4Code">#f58f39</option>
        <option name="force_directed_viz.force_directed.ColorRange5">1000000</option>
        <option name="force_directed_viz.force_directed.ColorRange5Code">#d93f3c</option>
        <option name="force_directed_viz.force_directed.ForceCollision">20</option>
        <option name="force_directed_viz.force_directed.LineColor">disabled</option>
        <option name="force_directed_viz.force_directed.LinkDistance">100</option>
        <option name="force_directed_viz.force_directed.LinkLength">1</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMax">50</option>
        <option name="force_directed_viz.force_directed.RepelDistanceMin">10</option>
        <option name="force_directed_viz.force_directed.RepelForceStrength">-140</option>
        <option name="force_directed_viz.force_directed.StrokeWidth">1</option>
        <option name="force_directed_viz.force_directed.arrows">disabled</option>
        <option name="force_directed_viz.force_directed.circleSize">5</option>
        <option name="force_directed_viz.force_directed.panzoom">disabled</option>
        <option name="force_directed_viz.force_directed.theme">light</option>
        <option name="height">320</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <viz type="network_topology.network_topology">
        <title>Network Topology For Splunk</title>
        <search>
          <query>| makeresults 
| eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa" 
| makemv data 
| mvexpand data 
| rename data as _raw 
| kv 
| table build env
| rename build as source, env as linkType
| eval sourceRole="Build", destination=linkType, destinationRole="Env"
| table source sourceRole destination destinationRole linkType</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">385</option>
        <option name="network_topology.network_topology.drilldown">false</option>
        <option name="network_topology.network_topology.link1">test</option>
        <option name="network_topology.network_topology.link1Color">#53a051</option>
        <option name="network_topology.network_topology.link1Dashed">true</option>
        <option name="network_topology.network_topology.link1Label">Test</option>
        <option name="network_topology.network_topology.link2">qa</option>
        <option name="network_topology.network_topology.link2Color">#f1813f</option>
        <option name="network_topology.network_topology.link2Dashed">true</option>
        <option name="network_topology.network_topology.link2Label">QA</option>
        <option name="network_topology.network_topology.link3">prod</option>
        <option name="network_topology.network_topology.link3Color">#c00000</option>
        <option name="network_topology.network_topology.link3Dashed">false</option>
        <option name="network_topology.network_topology.link3Label">Production</option>
        <option name="network_topology.network_topology.link4">link4</option>
        <option name="network_topology.network_topology.link4Color">#a5a5a5</option>
        <option name="network_topology.network_topology.link4Dashed">true</option>
        <option name="network_topology.network_topology.link4Label">Link 4</option>
        <option name="network_topology.network_topology.link5">link5</option>
        <option name="network_topology.network_topology.link5Color">#c00000</option>
        <option name="network_topology.network_topology.link5Dashed">false</option>
        <option name="network_topology.network_topology.link5Label">Link 5</option>
        <option name="network_topology.network_topology.unfocusOpacity">0</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
Reply
Solved! Jump to solution

askarkz
Explorer
‎12-18-2018 04:21 AM

thank you for your response. I tried the sankey diagram before posting the question and did not make it work. will look at your post and try again

0 Karma
Reply
Solved! Jump to solution

askarkz
Explorer
‎12-18-2018 04:58 AM

I am floored with what you put together. thank you. so much to learn

Reply
Solved! Jump to solution

niketn
Legend
‎12-18-2018 06:15 AM

@askarkz glad you found it useful! Do up vote the answer if it helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎12-17-2018 06:52 PM

how about something like this? visualized in a column chart

|makeresults|eval data="build=1.0.0,env=prod build=1.0.0,env=qa build=1.0.0,env=test build=1.0.1,env=prod build=1.0.1,env=qa"|makemv data|mvexpand data|rename data as _raw|kv|table build env|eval {env}=1|fields - env|stats values(*) as * by build
Reply
Solved! Jump to solution

askarkz
Explorer
‎12-18-2018 04:20 AM

thank you for the response! will try it today

0 Karma
Reply
Solved! Jump to solution

askarkz
Explorer
‎12-18-2018 04:46 AM

it works! awesome. so much to learn about Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...