Advanced Dashboards & Visualizations - Labs: Dashboard in The Course App
Advanced Dashboards & Visualizations - Labs: Dashboard in The Course App
Overview
Welcome to the Splunk Education lab environment. These exercises will guide you through the process
of creating a set of dashboards, forms, and visualizations. If you get stuck, consult the example
dashboard in the course app.
IMPORTANT: Save all knowledge objects in the Advanced Dashboards & Visualizations app with
permissions set to private. Also, when editing XML type the text manually or copy it from
the dashboard editor —not this document. Character formatting and artifacts created by
the PDF generation process can cause errors in the XML.
Typographical Conventions
• Blue text highlighting indicates add text.
• Red text highlighting indicates remove text.
• Grey text provides placement information.
Class Number:
Splunk Web URL:
Splunk Web username:
Splunk Web password:
Source Types
The two source types used in these exercises are referred to by the type of data they represent.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 1
Lab Exercise 1 – Create a Prototype
Description
Create a dashboard prototype based on the use case and wireframe. The prototype will use basic
searches and visualizations.
IMPORTANT: Perform all searches and save all knowledge objects in the Advanced Dashboards &
Visualizations course app.
Scenario: The sales team wants a dashboard that displays information about web store server health.
It should have panels that display the following:
- Chart of purchases and lost sales
- Table of most common web server errors by host
- Chart of all web server errors by host
- Map of web server errors by location
Working Example: Adv. Dash. & Visualizations > Lab Examples > Lab 1 - Create a Prototype
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 2
Naming Conventions
Define naming conventions for your knowledge objects early in the development process. Doing so will
avoid confusion later. This becomes especially important when creating multiple iterations of views and
reports. For the following tasks, consult the table below when naming objects.
Steps
Task 1: Change the account name and time zone.
1. Log into the class lab server.
For example, http://class.server-name.splunk.com
2. Change your account settings:
• Full name: <first initial and last name>
For example: rrice
• Time zone: <your local time zone>
• Default app: advdash
Task 2: Create a dashboard with a panel that shows online purchases and lost sales.
NOTE: A lost sale is defined as when an item is removed from a customer's cart.
3. Search online transactions for purchases or lost sales events over the last 30 days.
Hint: action=remove, action=purchase
4. Calculate the total value of sales as totalSales by action and product_name. Then, view the results as
both a statistics table and column chart visualization.
5. Ensure product_name is on the x-axis, action identifies the series, and totalSales is on the y-axis.
Hint: xyseries command
6. Rename product_name as Product Name, remove as Lost Sales, purchase as Purchases, and
display the results as a column chart.
7. Save the search as a report and add it to a new dashboard:
• Report Title: bcg_webstore_report_purchases_vs_lost_sales
• Dashboard Title: Version 1 - Web Store Server Errors
• Dashboard ID: bcg_webstore_dash_v1_server_errors
• Dashboard Permissions: Private
• Panel Title: Purchases & Lost Sales
• Panel Powered By: Report
8. Open the dashboard in edit mode.
9. Format the panel visualization to display a stacked column chart with the legend on the bottom.
10. Save the dashboard changes.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 3
Example:
11. Search online transactions for all HTTP status errors over the last 30 days.
Hint: status>399
12. Count errors by host and status.
13. Limit results to only the top three errors.
14. Remove the grouping called OTHER.
15. Save the search as a report and add it to your Version 1 - Web Store Server Errors dashboard:
• Report Title: bcg_webstore_report_common_errors_by_host
• Dashboard: Version 1 - Web Store Server Errors
• Panel Title: Most Common Errors by Host
• Panel Powered By: Report
• Panel Content: Statistics Table
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 4
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 5
Task 6: Create prebuilt panels.
28. Click Edit.
29. Click the options menu icon on the Most Common Errors by Host panel, and select Convert to
Prebuilt Panel.
• ID: bcg_webstore_panel_<panel_title>
Example: bcg_webstore_panel_most_common_errors_by_host
• Permissions: Private
30. Click Apply.
31. Click OK to confirm.
32. Repeat the above steps to convert two other panels:
• All Errors by Host
• All Status Errors by Location
33. Save the dashboard changes.
34. Navigate to: Settings > User Interface > Prebuilt Panels.
35. In the Owner dropdown, select your name.
36. In the App dropdown, select Advanced Dashboards & Visualizations (advdash).
37. Make sure all three of your prebuilt panels are listed:
• bcg_webstore_panel_all_errors_by_host
• bcg_webstore_panel_all_status_errors_by_location
• bcg_webstore_panel_most_common_errors_by_host
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 6
Challenge Lab Exercise (optional)
Create a Data Model
This challenge lab walks you through the process of creating a data model that can be accelerated. You
must first complete this challenge lab exercise if you intend to do the lab 3 challenge lab.
Example:
3. Click Create.
4. Add a root event dataset.
• Dataset Name: bcg dm ws root event
• Dataset ID: bcg_dm_ws_root_event
• Constraints: index=main sourcetype=access_combined
5. Preview events to verify the constraint is working properly, then save it.
15. Use the fields command to display all fields in the data model.
Hint: The datamodel fields are prefixed with: bcg_dm_ws_root_event
16. Examine the field values in the sidebar of the action*, price*, and product_name* fields.
Example on next page.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 8
Questions
Question 1: What is the difference between the values of:
bcg_dm_ws_root_event.action and bcg_dm_ws_root_event.action1?
__________________NULL values appear in action1____________________________
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 9
Lab Exercise 2 – Add Interactivity
Description
In this exercise you will use tokens to create cascading inputs that define a chart's search.
IMPORTANT: Perform all searches and save all knowledge objects in the Advanced Dashboards &
Visualizations course app.
Scenario: The sales team is impressed with the new server errors dashboard. They would like to add a
form to their app. The form should display a column chart of vendor data based on user input
for country, state or province, and city.
Working Example: Adv. Dash. & Visualizations > Lab Examples > Lab 2 - Add Interactivity - Example
Example:
Steps
Task 1: Create a form.
1. In the Lab Searches menu, click the search icon for Lab 2 - Search 1.
NOTE: The search is not intended to display results at this point. This is expected.
2. Save the search as a panel on a new dashboard:
• Dashboard: New
• Dashboard Title: Version 1 - Vendor Sales Analysis
• Dashboard ID: bcg_vendor_form_sales_analysis_v1
• Panel Title: All Vendor Sales
• Panel Powered By: Inline Search
NOTE: The panel will not populate until after you’ve added inputs in the next series of tasks.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 10
Task 2: Add a token filter for quotes.
4. Click Edit.
5. Click the panel's search properties icon.
6. Click Edit Search.
7. Revise each of the three tokens to include a filter to wrap the value in quotes.
sourcetype=vendor_sales VendorCountry=$v_country_tok|s$
VendorStateProvince=$v_state_tok|s$ VendorCity=$v_city_tok|s$ | timechart count
8. Click Apply.
Task 3: Add a menu input for country.
9. Click Edit.
10. Click +Add Input > Dropdown.
11. Click the Edit Input icon (pencil) and add the following settings:
General
• Label: Country
• Select: Search on Change
Token Options Example:
• Token: v_country_tok
Static Options
• Name: All
• Value: *
Dynamic Options
• Search String: sourcetype="vendor_sales" | stats
count by "VendorCountry"
• Time Input: Last 7 Days
• Field For Label: VendorCountry
• Field For Value: VendorCountry
Token Options
• Default: All
12. Click Apply, then click in the Country input and make sure a list of countries displays.
NOTE: If the input is not working, save the dashboard and refresh the browser. Also, check its settings
and search for typos.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 11
Token Options
• Token: v_state_tok
Static Options
• Name: All
• Value: *
Dynamic Options
• Search String: sourcetype="vendor_sales" VendorCountry=$v_country_tok|s$ |
stats count by "VendorStateProvince"
• Time Input: Last 7 Days
• Field for Label: VendorStateProvince
• Field for Value: VendorStateProvince
Token Options
• Default: All
15. Click Apply, then click in the State/Province input and make sure a list of states/provinces displays.
NOTE: If the input is not working, check its settings and search for typos.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 12
Dynamic Options
• Search String: sourcetype="vendor_sales" VendorCountry=$v_country_tok|s$
VendorStateProvince=$v_state_tok|s$ | stats count by "VendorCity"
• Time Input: Last 7 Days
• Field for Label: VendorCity
• Field for Value: VendorCity
Token Options
• Default: All
18. Click Apply, then click in the City input and make sure a list of cities displays.
19. Change the All Vendor Sales panel visualization to a Column chart.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 13
Lab Exercise 3 – Improve Performance
Description
In this exercise you will improve dashboard performance by creating and scheduling reports. Then,
improve it further by creating a global search and accelerating it.
IMPORTANT: When editing the simple XML, type the text manually or copy it from the dashboard editor
—not this document. Character formatting and artifacts created by the PDF generation
process can cause errors in the XML.
Scenario: The stakeholders have approved the prototype dashboard, with some requested changes:
- Make the dashboard load faster.
- Reduce the search load from this dashboard.
- Add two panels to show the dollar amount of purchases and lost sales in the past month.
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 3 - Improve Performance - Example
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 14
Steps
Task 1: Accelerate and schedule your reports.
Questions
Question 1: Why is acceleration not possible for bcg_webstore_report_status_errors_by_location?
_______________________________________________________________________
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 15
Task 3: Add a base search.
14. Open the Splunk XML Editor.
15. Locate the Base Search panel's search query.
16. Delete the opening and closing <row>, <panel>, <table> and <title> tags and all the options.
<dashboard>
<label>Version 2 - Web Store Server Errors</label>
<row>
<panel>
<title>Base Search</title>
<table>
<search>
...
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
17. Add an ID to the opening <search> tag: <search id="baseSearch">
<dashboard>
<label>Version 2 - Web Store Server Errors</label>
<search id="baseSearch">
...
18. Save the XML changes.
19. In the Lab Searches menu, click the search icon for Lab 3 - Search 2.
NOTE: This is a post-process search. It will not display results in the search view. This is normal
and expected.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 16
24. Add an ID to the opening <search> tag: <search base="baseSearch">
...
<panel>
<title>Purchases & Lost Sales</title>
<table>
<search base="baseSearch">
<query>
...
25. Delete the Purchases & Lost Sales panel's earliest, latest, and sampleRatio tags.
...
</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
...
26. Save the XML changes.
27. Format the panel to display a column chart in stacked mode with the legend on the bottom.
28. Save the dashboard changes.
Example:
29. In the Lab Searches menu, click the search icon for Lab 3 - Search 3.
NOTE: This is a post-process search. It will not display results in the search view. This is normal
and expected.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 17
34. Add an ID to the opening <search> tag: <search base="baseSearch">
...
<panel>
<title>Purchases</title>
<table>
<search base="baseSearch">
<query>search product_name!=NULL action=purchase
| stats sum(price) as Purchases</query>
...
35. Delete the Purchases panel's earliest, latest, and sampleRatio tags.
...
<query>search product_name!=NULL action=purchase
| stats sum(price) as Purchases</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
...
39. In the Lab Searches menu, click the search icon for Lab 3 - Search 4.
NOTE: This is a post-process search. It will not display results in the search view. This is normal
and expected.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 18
40. Save the search as a panel and add it to an existing dashboard:
• Dashboard: Version 2 - Web Store Server Errors
• Panel Title: Lost Sales
• Panel Powered By: Inline Search
41. Save, then view the dashboard.
42. Open the Splunk XML Editor.
43. Locate the XML for the Lost Sales panel.
44. Add an ID to the opening <search> tag: <search base="baseSearch">
...
<title>Lost Sales</title>
<table>
<search base="baseSearch">
<query>search product_name!=NULL action=remove
| stats sum(price) as LostSales</query>
...
45. Delete the Lost Sales panel's earliest, latest, and sampleRatio tags.
...
</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
...
46. Delete the closing row tag and opening row tags between the single value panels.
...
</single>
</panel>
</row>
<row>
<panel>
<table>
...
47. Save the XML changes.
48. Format the Lost Sales panel's visualization to display
as a single value with the following settings:
• Caption: Last 30 Days
• Use Colors: Yes
• Color Ranges:
– from min - 1, green (#65a637)
– from 1 - 1000, yellow (#f7bc38)
– from 1000 - max, red (#d93f3c)
• Number Format:
– Unit: $
– Unit Position Before
49. Save the dashboard changes.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 19
Example:
57. On the Most Common Errors by Host panel, click the Options icon.
58. Select Convert to Inline Panel.
59. Click Convert.
60. Click the Search Report icon.
61. Select the panel's report name, and click Clone to an Inline Search.
62. Click Clone to Inline Search.
63. Repeat the above steps for the remaining prebuilt panels:
• All Errors by Host
• All Status Errors by Location
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 20
68. Remove the earliest and latest tags.
...
</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
...
69. Locate the XML for the All Errors by Host panel, and repeat the above steps.
70. Save the XML changes and make sure all panels populate with data.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 21
Task 10: Clear search jobs.
71. Open the Jobs page.
72. Make sure the App context is set to: Advanced Dashboards & Visualizations
73. Make sure the Owner is set to your name.
74. Delete your search history.
Task 11: Accelerate the global search.
75. Navigate to the Advanced Dashboards & Visualizations app.
76. Select Lab Dashboards > Version 2 - Web Store Server Errors.
77. Wait for all the panels to populate.
78. Return to the Jobs page.
79. Make sure the App context is set to: Advanced Dashboards & Visualizations
80. Make sure the Owner is set to your name.
81. Note the runtime for the base search.
___________________________________________________________________
NOTE: The base search begins with: | tstats summariesonly=f count from datamodel...
NOTE: The summariesonly argument only applies when using tstats against an accelerated data
model. When set to true, 'tstats' only generates results from the TSIDX data that has been
automatically generated by the acceleration.
NOTE: The revised base search begins with: | tstats summariesonly=t count from
datamodel="bcg_dm_ws_xl"
91. Compare the two search run times. Consider percentage of difference in the times.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 22
Challenge Lab Exercise (optional)
Use Your Accelerated Data Model
This exercise walks you through the process of accelerating the data model you created in the lab 1
challenge lab exercise. If you have not already completed that challenge lab, go back and finish it.
Then, return here.
IMPORTANT: Accelerating a data model requires administrator-level access. For the purposes
of this exercise you have been given this particular privilege.
Data model acceleration should be reserved for data models that are heavily used.
Summaries take up space, and sometimes a significant amount of it, so it's important
to avoid overuse of data model acceleration.
After you enable acceleration for a data model, Splunk begins building summaries
that span the range you've specified. It builds them in indexes with events that
contain the fields specified in the data model.
Splunk runs a search every 5 minutes to update existing summaries. It runs a
maintenance process every 30 minutes to remove outdated summaries. These
settings can be adjusted by a Splunk Administrator.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 23
18. Make sure the Owner is set to your name.
19. Select all searches, and click Delete.
20. Click Delete to confirm.
21. Repeat the above steps until all jobs have been deleted.
NOTE: After saving the XML, if your panels show the message: "Error in "TsidxStats': Could not
find datamodel.", look for typos in the XML. Compare the spelling of the data model ID in the
XML to the actual data model ID spelling.
27. Return to the search jobs page and make a note of the run time for the base search.
______________________________________________________________________
28. Compare the search time to the base search run time that used un-accelerated datamodel. Consider
percentage of difference in the times.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 24
Lab Exercise 4 – Customizing Dashboards
Description
Once you have a high-performance dashboard that displays the data your stakeholders require, make
UI customizations.
IMPORTANT: When editing XML type the text manually or copy it from the dashboard editor —not this
document. Character formatting and artifacts created by the PDF generation process can
cause errors in the XML.
Scenario: The stakeholders have approved the higher-performance dashboard. Now they'd like a few
UI customizations, including:
- Use the company's brand colors for the chart of purchases and lost sales.
- Hide the search controls for all the panels.
- Set the refresh time for the panels.
- Change the server table's cell colors to match severity of the value shown.
- Change the marker map to display bubbles instead of pies.
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 4 - Customizing Dashboards - Example
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 25
Steps
Task 1: Customize chart colors.
1. Navigate to the Version 2 - Web Store Server Errors dashboard.
2. Clone the dashboard.
• Title: Version 3 - Web Store Server Errors
Note: Remove the word Clone from the end of the title.
• ID: bcg_webstore_dash_v3_server_errors
3. View the cloned dashboard.
4. Open the Splunk XML Editor.
5. Locate the option tags for the Purchases & Lost Sales panel.
6. Add a charting.fieldColors property to set the Purchases to orange (0xEFC94C) and the Lost Sales
field to red (0xED553B).
...
<option name="charting.legend.placement">bottom</option>
<option name="charting.fieldColors">{"Purchases":0xEFC94C,"Lost
Sales":0xED553B}</option>
</chart>
</panel>
</row>
...
7. Save the XML changes.
8. Make sure the Purchases & Lost Sales panel's colors have changed to orange and red.
Task 2: Hide search controls.
9. Open the XML Editor.
10. Locate the option tags for the Purchases & Lost Sales panel.
11. Add chart properties to hide the following panel link buttons.
For example: <option name="refresh.link.visible">0</option>
Refresh Link refresh.link.visible
Inspect button link.inspectSearch.visible
Export Results button link.exportResults.visible
Open Search button link.openSearch.visible
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 26
Task 3: Set the panel refresh indicator.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 27
Task 5: Add column summaries and cell colors.
45. Repeat the above steps for the two remaining status columns.
46. Save the dashboard changes.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 28
Challenge Lab Exercise (optional)
This exercise walks you through the process of making the cluster map display bubbles instead of pie
charts. The bubbles will be assigned colors using a rangemap and scale in size based on event counts.
Task 1: Search for web store server error locations.
1. Search online transactions for all client IP addresses and HTTP error codes for the last 30 days.
Hint: status>399
2. Eliminate duplicate client IP addresses and hosts.
3. Extract the IP location for each error.
Hint: iplocation
4. Count the total number of events for each location and store as TOTAL
Hint: geostats
6. Create a new field for each location called ELEVATED. If the value of TOTAL is greater than or equal
to 50 and less than 100, set ELEVATED to the value in the TOTAL field. Otherwise, set it to 0.
7. Create a new field for each location called LOW. If the value of TOTAL is less than 50 set LOW to the
value in the TOTAL field. Otherwise, set it to 0.
8. Remove the TOTAL field, so you can plot the SEVERE, ELEVATED, and LOW not a TOTAL.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 29
15. Add the mapping.fieldColors property to set the map's bubble colors to green (0x339966), yellow
(0xFFCC99), red (0xCC6633).
...
<option name="mapping.type">marker</option>
<option name="refresh.display">none</option>
<option name="refresh.link.visible">0</option>
<option name="mapping.fieldColors">{LOW:0x339966,ELEVATED:0xffCC99,SEVERE:0xCC6633}</option>
</map>
</panel>
</row>
</dashboard>
...
16. Save the XML changes.
17. Make sure the panel has updated to bubble markers.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 30
Lab Exercise 5: Use Event Handlers
Description
In this exercise you will use the <selection> and <set> elements to capture a time range from one chart
and apply it to another chart on the same dashboard. This is referred to as a Pan & Zoom. Then, you'll
add a dynamic drilldown form the Sales by Category bar chart to a new form.
Scenario: The sales team likes the Vendor Sales Analysis form. They want to add a bar chart of sales
by category based on user input from the cascading menus and a time range selection on
the column chart.
They also want to add a dynamic drilldown to the sales by category bar chart that takes
users to a different form displaying information based on which category in the chart
was clicked.
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 5 - Use Event Handlers - Example
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 31
Task 1: Add the Sales by Category chart.
3. In the Lab Searches menu, click the search icon for Lab 5 - Search 1.
NOTE: The search is not intended to display results at this point. This is normal and expected.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 32
Task 4: Add a visualization event handler.
14. Locate the XML for the All Vendor Sales chart.
15. Add the following <selection> XML before the closing </chart> tag:
...
<option name="charting.chart">column</option>
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
</selection>
</chart>
...
16. Locate the XML for the bar chart.
17. Delete the sampleRatio element.
18. Replace the existing earliest and latest settings with predefined, time selection tokens.
...
</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<earliest>$selection.earliest$</earliest>
<latest>$selection.latest$</latest>
</search>
...
19. Save the XML changes.
Task 5: Test the cascading menus and event handler.
20. Select a Country, State/Province, and City.
21. Reduce the time range by clicking and dragging on the All Vendor Sales visualization.
22. Notice the bar chart update after making a selection on the All Vendor Sales column chart.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 33
Task 6: Add a dynamic drilldown.
23. Open the XML Editor.
24. Locate the XML for the bar chart visualization.
25. Add the following <drilldown> and <link> XML below the option tags:
...
<option name="charting.chart">bar</option>
<drilldown>
<link>
<![CDATA[/app/advdash/bcg_vendor_sales_drilldown_dest?form.catego
ryId=$click.value$&earliest=$earliest$&latest=$latest$]]>
</link>
</drilldown>
</chart>
</panel>
</row>
</form>
NOTE: If you copy and paste the above text watch for extra spaces.
27. In the Lab Searches menu, click the search icon for Lab 5 - Search 2.
NOTE: This search is not intended to display results at this point. This is normal and expected.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 34
Task 9: Add a time input.
NOTE: This time input will not display the new default time range until the dashboard changes
are saved.
34. Click the search properties icon on the Sales Trend panel.
35. Select Edit Search.
36. In the Time Range Scope dropdown, select: Shared Time Picker (global).
37. Click Apply.
38. Save the dashboard.
Task 10: Test the dynamic drilldown.
39. Select Lab Dashboards > Version 2 - Vendor Sales Analysis
40. Select a Country, State/Province, and City.
41. Reduce the time range by clicking and dragging on the All Vendor Sales chart.
42. Click one of the categories on the bar chart.
The drilldown destination form should open and populate with the category you clicked on, and the
time range should display the custom time range value passed from the Version 1 - Vendor Sales
Analysis form.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 35
Challenge Lab Exercise (optional)
Add a selected time range to the panel title.
In your dashboard you have a pan & zoom that shows a selection in the top panel visually. Yet the bar
chart doesn't show the time range. Using tokens to add the selected time range to the bar chart's title is
an easy way to show this.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 36
Lab Exercise 6 – Add Advanced Visualizations
Description
In this exercise you will use simple XML extensions to add advanced visualizations and behaviors to a
dashboard. The dashboard will include a horizon chart. A horizon chart is similar to an area chart that is
restricted to a smaller vertical space. Portions of the chart that fall above or below the defined area are
shown in shades of the main color or different colors.
Scenario: The web marketing team has seen the sales team's web store server errors dashboard and
would like something similar but with a greater emphasis on status errors. The dashboard
should allow users to select a time range, and locations by country or city.
It should have panels that display metrics for the following:
- Global server errors
- Global status errors over time
- Server errors by country
- Server errors by city
- Top 10 status errors
- Top 10 status errors by day of week
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 6 - Add Advanced Visualizations - Example
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 37
Steps
Task 1: Create a new dashboard.
1. In the Lab Searches menu, click the search icon for Lab 6 - Search 1.
2. Display the results as a Single Value visualization.
3. Save the search as a panel on a new dashboard:
• Dashboard Title: Version 1 - Mktg - Web Server Errors
• Dashboard ID: mktg_web_dash_server_errors_v1
• Permissions: Private
• Panel Powered By: Inline Search
• Panel Content: Single Value
4. Save, then view the dashboard.
Example:
NOTE: If the input is not working, check its settings for typos. Also, reload the web page and try again.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 39
Task 5: Add a panel that shows status errors for all locations.
Task 6: Add a panel that shows status errors for a selected city.
19. Copy the XML for the Country panel, and paste it on the same row, after the existing Country panel.
20. Revise the visualization panel to: City
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 40
21. Revise the search to use the current value of the city token: City="$city_tok$"
...
</panel>
<panel>
<single>
<title>City</title>
<search>
<query>sourcetype=access_combined status>399 clientip=*
| iplocation clientip | search Country="$country_tok$"
City="$city_tok$" | timechart count</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
...
</single>
</panel>
</row>
</form>
22. Delete the opening and closing panel tags between the Country and City visualizations.
...
</single>
</panel>
<panel>
<single>
<title>City<title>
...
23. Save the XML changes.
The three single-value visualizations should now display on the same row, in two panels.
Example:
Task 7: Revise each visualization's search to use the Shared Time Picker.
31. Select a Country, City, and time from the dropdown menus.
32. Verify the Country and City panel values update to reflect your input choices.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 42
Example:
Task 10: Add a prebuilt panel that displays a table of the top 10 status errors.
NOTE: These two files have already been uploaded to /appserver/static directory of the course app.
You can find them after class in the Splunk Dashboard Examples app on Splunkbase.
41. Locate the XML for the Top 10 Status Errors table.
42. Add an id to the table opening tag: id="table1"
...
<row>
<panel>
<title>Top 10 Status Errors</title>
<table id="table1"
...
43. Save the XML changes.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 43
Task 12: Use simple XML extensions to display a punchcard visualization.
44. Enter dashboard edit mode.
45. Add a prebuilt panel: Lab 6 - Top 10 Server Errors by Day of Week
46. Convert the panel to an inline panel.
47. Revise the panel title to: Top 10 Server Errors by Day of Week
48. Position the panel on the right of the Top 10 Status Errors panel.
49. Open the XML Editor.
50. Locate the <form> tag and add a script reference for autodiscover.js followed by a comma.
<form script="autodiscover.js, table_data_bar.js" stylesheet="table_data_bar.css">
<label>Version 1 - Mktg - Web Server Errors</label>
...
51. Locate the XML for the Top 10 Server Errors by Day of Week panel.
52. Remove the opening and closing <table> </table> tags.
53. Revise the <search> tag to have an id: <search id="punchcard_search">
...
<panel>
<title>Top 10 Server Errors by Day of Week</title>
<table>
<search id="punchcard_search">
<query>sourcetype=access_combined status>399 clientip=*
| iplocation clientip
| search Country="$country_tok$" City="$city_tok$"
| eval wday=strftime(_time, "%a")
| top wday, description</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</table>
</panel>
</row>
...
54. Add opening and closing <html> </html> tags after the closing </search> tag.
...
</search>
<html>
</html>
</panel>
</row>
</form>
55. Add <div> tag references and data options:
...
<html>
<!--- Add code from step 55 Lab 6 Supporting File.txt here --->
</html>
...
56. Save the XML changes.
57. Reload the browser and make sure the punchcard visualization displays.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 44
NOTE: When adding single quotes, use escaped single quotes for the settings nested under the data-
options element, as shown in the supporting file's code.
If the punchcard panel does not display properly check for typos in the XML, a missed step, or
copy the code again from the supporting file.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 45
Token Options
• Token: unused
Note: Type the text: unused
Static Options
Name Value
Horizon horizon
Column column
Table table
Token Options
• Default: Horizon
69. Add opening and closing <change></change> tags after the closing </choice> tag for Table.
70. Add opening and closing <condition></condition> tags between the <change></change> tags.
...
<choice value="table">Table</choice>
<change>
<condition>
</condition>
</change>
<default>horizon</default>
</input>
...
71. Add the attribute value="horizon" to the opening <condition> tag.
<choice value="table">Table</choice>
<change>
<condition value="horizon">
</condition>
</change>
<default>horizon</default>
</input>
...
72. Add open and closing <unset token> tags for the token showTable between the <condition> tags.
73. Add open and closing <unset token> tags for the token showCol between the <condition> tags.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 46
74. Add open and closing <set token> tags for the token showHorizon between the <condition> tags
and set the value to true.
...
<choice value="table">Table</choice>
<change>
<condition value="horizon">
<unset token="showTable"></unset>
<unset token="showCol"></unset>
<set token="showHorizon">true</set>
</condition>
</change>
...
75. Repeat the above steps, adding condition, unset and set tokens tags and appropriate tokens for the
two remaining visualizations, column and table.
...
<change>
<condition value="horizon">
<unset token="showTable"></unset>
<unset token="showCol"></unset>
<set token="showHorizon">true</set>
</condition>
<condition value="column">
<unset token="showTable"></unset>
<set token="showCol">true</set>
<unset token="showHorizon"></unset>
</condition>
<condition value="table">
<set token="showTable">true</set>
<unset token="showCol"></unset>
<unset token="showHorizon"></unset>
</condition>
</change>
...
76. Revise the Lab 6 - Chart 1 panel title to be: All Status Errors
...
<row>
<panel>
<title>All Status Errors</title>
<input type="link" token="unused" searchWhenChanged="true">
...
77. Locate the XML for the horizon chart visualization.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 47
78. Add an id and a depends attribute to the <viz> tag: id="horizon" depends="$showHorizon$"
...
<default>horizon</default>
</input>
<viz id="horizon" depends="$showHorizon$" type="horizon_chart_app.horizon_chart">
<search>
...
79. Locate the XML for Lab 6 - Chart 2.
80. Delete the title.
...
<row>
<panel>
<title>Lab 6 - Chart 2</title>
<chart>
<search>
...
81. Add an id and a depends attribute to the <chart> tag: id="column" depends="$showCol$"
...
<panel>
<chart id="column" depends="$showCol$">
...
82. Locate the XML for Lab 6 - Chart 3.
83. Delete the title tag and its contents.
...
<row>
<panel>
<title>Lab 6 - Chart 3</title>
<table>
<search>
...
84. Add an id and a depends attribute to the <table> tag: id="table" depends="$showTable$"
...
<panel>
<table id="table" depends="$showTable$">
...
85. Save the XML changes.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 48
Task 17: Format the Horizon Chart.
86. Format the horizon chart visualization with the following settings:
General
• Number of bands: 2
• Calculate relative change: No
• Show change in: Absolute value
• Smooth: Yes
Colors
• Negative color: Blue (6db7c6)
• Positive color: Red (d93f3c)
87. Save the XML changes.
88. Test the Horizon, Column, and Table links.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 49
Challenge Lab Exercise (optional)
Add Dynamic Labels
Scenario: The web marketing likes the dashboard. However, they'd like it to also have dynamic labels
for the single value panels.
- Make the country and city panel titles reflect the selections in the dropdown menus
- Make the single value captions display the time range selected.
Example:
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 50
Task 2: Add form input event tokens
8. Repeat the above steps for the City input with the token: input2_label
...
<choice value="*">All Cities</choice>
<default>*</default>
<change>
<set token="input2_label">$label$</set>
</change>
</input>
...
9. Repeat the above steps for the Time input with the token: input3_label
...
<input type="time" token="time_tok" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
<change>
<set token="input3_label">$label$</set>
</change>
</input>
...
10. Save the XML changes.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 51
Task 3: Add input label tokens to the single value visualization titles
11. Open the dashboard editor.
12. Revise the Country visualization title to use the value token for the country input.
$input1_label$
13. Revise the City visualization title to use the value token for the city input.
$input2_label$
NOTE: If a label isn't updated, open the XML editor and look for typos in the input change element or
the caption property.
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 52