Conf2014 NickFilipi Splunk WhatsNew

Copyright © 2014 Splunk Inc.

Nicholas Filippi Product Management, Splunk

Mathew ElDng Lead Engineer, Splunk

Splunk Dashboard Framework – What’s New

Disclaimer

2

During the course of this presentaDon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and

esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,

please review our filings with the SEC. The forward-‐looking statements made in the this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aSer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward-‐looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to

include any such feature or funcDonality in a future release.

About Us

!   Nicholas Filippi – Sr. Product Manager !   Mathew ElDng – Engineering Lead, Splunk Core UI

3

Simple XML / HTML Dashboards

Modular Inputs

Splunk Web Splunk Licensing

Alerting Splunk 6.x Dashboard Examples

About You

!   Anyone looking to build dashboards on the Splunk plaYorm !   Interested in…

–  What you can do within Simple XML –  What new in the Splunk dashboard framework –  What tools you have available

4

What is XML? Pro Web Developer Advanced XML

Dev Hacker Simple XML

Agenda

!   Splunk dashboard/web framework(s) !   What’s new in Splunk 6.1 !   What’s new in Splunk 6.2 !   Example walk-‐throughs

–  Form inputs –  Search management –  VisualizaDons –  Drilldown

5

Splunk Dashboards

6

Splunk Dashboards

7

A collecDon of searches, visualizaDons, and interacDvity designed to tell a story with data

Interactivity Layout

Visualizations

Splunk Web Framework

8

Visual Editor Simple XML Custom HTML w/ Splunk JS Stack Advanced XML

Descrip@on 100% GUI Driven; drag-‐and-‐drop panels. Basic visual ediDng

XML config driven; constrained, defined object model. Internally supported.

Full HTML support. Leverage library of js components.

XML config driven; unconstrained; internally/externally supported

When to Use

•  PDF PrinDng (full) •  Drag-‐and-‐Drop (full) •  Form Inputs

•  Dynamic Drilldown •  Tokens •  Layout (row grouping) •  Add opDons / parameters •  PDF PrinDng (full) •  Drag-‐and-‐Drop (full) •  Extensions

•  Custom Layout •  Custom Form Inputs •  AddiDonal interacDvity •  New VisualizaDons •  Custom javascript

•  Custom Layout •  Custom Form Inputs •  AddiDonal interacDvity •  New VisualizaDons •  Legacy support •  Reusable modules

What’s New: Splunk 6.1

9

Splunk 6.1 – What’s New

10

!   Form Editor UI –  UI to add/edit/arrange form inputs –  MulD-‐select & checkbox inputs –  MulDple Dme range picker support

!   InteracDvity –  Contextual drilldown (in-‐page drilldown) –  Universal dynamic drilldown

!   Other –  Panel inputs –  Panel refresh controls

Build more interacDvity into your dashboards

Form Editor UI

11

!   UI to add/edit inputs –  Full configuraDon support –  Set token namespace –  Auto-‐run, searchWhenChanged

!   Drag-‐and-‐drop –  Arrange within global space –  Drag to panel for inline

!   MulD-‐select/checkbox –  MulD-‐value inputs

Add form inputs and build interacDvity without having to edit xml configuraDon

MulD-‐Select & Checkbox Form Inputs

12

!   Build complex query strings with mulD-‐value inputs –  valuePrefix –  valueSuffix –  delimiter

!   Permalink support –  Pass mulD-‐value form selecDons

via URL –  ?form.field=val1&form.field=val2

Enable mulD-‐value user input selecDon, and translate to search

MulD-‐Select & Checkbox Form Inputs

13

<searchString>index=_internal $sourcetype_token$</searchString>

index=_internal (sourcetype=“scheduler” OR sourcetype=“splunkd”)

<input type="multiselect" token="sourcetype_token" searchWhenChanged="true"> <default>scheduler, splunkd</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>sourcetype="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <populatingSearch earliest="0" latest="" fieldForLabel="sourcetype" fieldForValue="sourcetype">index=_internal | stats count by sourcetype</populatingSearch> </input>

Result

Process

MulDple Time Range Pickers

14

!   100% UI Driven !   Add MulDple Time Pickers

–  Set unique namespace

!   Explicit binding of search to Dme –  TRP, explicit inline,

advanced

Compare metrics across mulDple Dme windows

<earliestTime>$inPanel2.earliest$</earliestTime> <latestTime>$inPanel2.latest$</latestTime>

Contextual (in-‐page) Drilldown

15

!   Click to see more details without having to leave the page !   Allow for other panels and searches to react to user clicks

–  Build complex interacDon between panel elements –  Leverage “token availability everywhere”

Improve user efficiency with interacDve views


16

!   Step 1 –  Use “drilldown” click event to set token(s) rather than link to other views

<drilldown> <set token="showTable">true</set> <set token="selected_sourcetype">$row.sourcetype$</set> <set token=“sourcetype_query”>sourcetype=“$row.sourcetype$”</set> </drilldown>

<drilldown> <condition field="sourcetype">  <set token="showTable">true</set> <set token="selected_sourcetype">$click.value2$</set> <unset token="showChart"/> </condition> <condition field="*">  <set token="showChart">true</set> <set token="count">$row.count$</set> <unset token="showTable"/> </condition> </drilldown>

Trigger same ac@on for all cell clicks

Enable different ac@ons for each field click


17

!   Step 2 –  Show/hide dashboard elements based on token existence

<table depends="$showTable$,$selected_sourcetype$"> <option name=“foo”>bar</option> </table>

<table rejects="$showChart$"> <option name=“foo”>bar</option> </table>

Show table based on existence of one or more tokens

Hide table based on the existence of one or more tokens

Universal Dynamic Drilldown

18

!   Dynamic drilldown now available for all dashboard elements –  Not just table and chart –  Single, table, chart, event, map

!   Same syntax, same behavior –  Click informaDon: $click.name$, $click.name2$, $click.value$ ,$click.value2$, $row.<field_name>$ –  AddiDonal map-‐related: $click.lat.name$, $click.lon.name$, $click.lat.value$, $click.lon.value$,

$click.bounds.north$, $click.bounds.south$, $click.bounds.east$, $click.bounds.west$ –  Other: $earliest$, $latest$, any page-‐level tokens

Build workflow and dashboard linking for any user click event

<single> <searchString>index=sfpd Resolution="NONE" | stats count</searchString> <earliestTime>0</earliestTime> <latestTime>now</latestTime> <option name="afterLabel">Unresolved Incidents</option> <drilldown> <link>incident_listing_search?form.s_resolution=NONE</link> </drilldown> </single>

Universal Dynamic Drilldown

19

Tips & Tricks: Create a test dashboard that uses the new contextual drilldown to set tokens, and display in an html element

<form> … <row> <panel> <chart> <searchString>index=_internal | timechart count by sourcetype</searchString> <earliestTime>$field1.earliest$</earliestTime> <latestTime>$field1.latest$</latestTime> <option name="charting.drilldown">all</option> <drilldown> <set token="table1.click.name">$click.name$</set> <set token="table1.click.name2">$click.name2$</set> <set token="table1.click.value">$click.value$</set> <set token="table1.click.value2">$click.value2$</set> <set token="table1.row.sourcetype">$row.sourcetype$</set> <set token="table1.earliest">$earliest$</set> <set token="table1.latest">$latest$</set> </drilldown> </chart> <html> <ul> <li><code>click.name: $table1.click.name$</code></li> <li><code>click.name2: $table1.click.name2$</code></li> <li><code>click.value: $table1.click.value|s$</code></li> <li><code>click.value2: $table1.click.value2|s$</code></li> <li><code>row.sourcetype = $table1.row.sourcetype$</code></li> <li><code>Timerange: $table1.earliest$ - $table1.latest$</code></li> </ul> </html> </panel> </row> </form>

Panel Inputs

20

!   Use for comparison dashboards !   Use for panel-‐specific inputs !   Drag-‐and-‐drop form inputs into “panels”

!   New <panel> node –  Replaces row grouping –  Default behavior:

ê  For single, orient horizontally ê  For all other, orient verDcal

Create context specific form inputs

Panel Refresh Controls

21

!   Enable/disable manual refresh link –  Default: enabled (except for single) –  <opDon name="refresh.link.visible">false</

opDon>

!   Set autoRefresh –  Refresh element aSer X seconds –  <opDon name="refresh.auto.interval">30</

opDon>

!   Control “refresh Dme” rendering –  Default: enabled –  <opDon name="refresh.Dme.visible">false</

opDon>

Manual or automated refresh controls for panel elements

What’s New: Splunk 6.2

22

Splunk 6.2 – What’s New

23

!   Key Features –  Prebuilt Panels –  MulD-‐Search Management –  Input MulD-‐token Se{er –  Dropdown/MulDselect

Custom Values support –  Dashboard Display Controls

Prebuilt Panels

24

!   Packaged within apps and add-‐ons !   Purpose-‐built for dashboard re-‐use

–  No further configuraDon required by users

!   Panel objects may include –  MulDple searches –  MulDple visualizaDons –  Full drilldown (including in-‐page, contextual) –  Form inputs

!   New add workflow –  Browse, discover, search, and preview –  Browse reports, other dashboards, and

prebuilt panels

Build custom dashboards faster using prebuilt panels packaged within apps

Prebuilt Panels – Technical Details

25

!   Panels are new knowledge objects in Splunk –  Included in dashboard “by reference”

!   Management/Permissions –  UI: “Se|ngs > User interface > Prebuilt panels” –  FS: $SPLUNK_HOME/etc/apps/<app_name>/default/

data/ui/panels –  Syntax for default.meta is “[panels]”

!   Building panels –  Via dashboard editor (recommended)

ê  Build panel > “convert to prebuilt panel” –  Via manager page

ê  Required for ediDng !   Convert to Inline

–  For any customizaDon

Note: Panels do not support custom js/css extensions

MulD-‐Search Management

26

!   Run mulDple background searches –  Locate within global space, or within panels

!   Post-‐process search binding !   Re-‐use search results to drive

visualizaDons, form inputs, and more !   Normalized search syntax

–  Replaces current, confusing search syntax –  <searchTemplate>, <searchString>,

<searchPostProcess>, <populaDngSearch>, <populaDngSavedSearch>

!   Splunk 6.2 is fully backward compaDble

Improve search efficiency in your dashboards with mulDple background searches

MulD-‐Search Management

27

!   ExisDng scenarios (using new search syntax): –  Inline search that drives a single visualizaDon –  Report-‐based search that drives a single visualizaDon –  Inline search that populates available choices in a form input –  Report-‐based search that populates available choices in a form input –  Single global search to drive mulDple visualizaDons w/ and w/o post process

!   Newly Enabled Scenarios: –  MulDple background searches that can be referenced directly for

visualizaDons, or post processes –  Binding form input to a global search both directly, and using post

process filtering –  Nested post process –  Performance opDmizaDons for token subsDtuDon-‐based searches

Form Input MulD-‐token Se{er

28

!   Key use cases: –  Se|ng tokens for labels –  Simple Dme range pickers –  Cascading form input controls –  Complex token se|ng w/ search –  HiddenSearchSwapper

!   On <change> event –  OpDonally use <condiDon> logic

ê  For value or label –  Then use standard

<set token=“”></set>

Integrate more logic into form inputs

Free-‐Form Text Support for Dropdown/MulD-‐Select

29

!   Operates similar to text input w/ auto-‐complete assistance

!   Key use cases: –  Best for hostname-‐type inputs –  Inputs where you may want to use *

wildcards

!   Enable via XML –  <allowCustomValues>true</

allowCustomValues> –  Default is false

Integrate more logic into form inputs

Dashboard Display Controls

30

!   Enhanced OEM and/or embed capabiliDes !   2 IntegraDon points

–  As h{p get param –  As form/dashboard a{ribute

!   New a{ributes/parameters available –  hideSplunkBar -‐ Hides just the splunkbar –  hideAppBar -‐ Hides just the appbar –  hideFooter -‐ Hides just the footer –  hideChrome -‐ Shortcut to hide splunkbar,

appbar, and footer –  hideTitle -‐ Hides Dtle and descripDon –  hideEdit -‐ Hides all the dashboard controls

Enable/disable dashboard chrome and controls

Walk-‐Through Demos

31

Summary

32

Wrap-‐Up

33

!   Leverage the newest dashboard funcDonality –  Form inputs for greater dashboard authoring efficiency

ê  MulD-‐select inputs, advanced token logic, Dme picker binding –  Drilldown & interacDvity

ê  Dynamic drilldown to link pages, contextual drilldown for in-‐page interacDvity –  Prebuilt panels

ê  Enable content sharing, leverage prebuilt content within apps

!   Use “Splunk 6.x Dashboard Examples” App

Come Visit – “Ask the Dashboard Expert”

34

!   For assistance with troublesome dashboards !   For migraDon Dps !   To brag about something cool you built !   To ask quesDons !   Or, just to say hi!

@CommunityLounge

THANK YOU

Documents

Conf2014 NickFilipi Splunk WhatsNew