SFBA Splunk Usergroup meeting May 3, 2023

© 2019 SPLUNK INC.
Crash Course in Dashboard Studio
Lizzy Li, Sr Manager, Dashboards, Splunk

© 2023 SPLUNK INC.
A crash course
in Dashboard
Studio
May 2023

© 2023 SPLUNK INC.
Lizzy Li
Principal Product Manager
Splunk Dashboards & Analytics Workspace

© 2019 SPLUNK INC.
Agenda
Note: You will see
features that are new
as of Splunk Cloud
Platform 9.0.2303.
1) Dashboard Studio: 10,000 ft
view
○ Classic (SimpleXML) & Dashboard
Studio comparison
2) New paradigms in
Dashboard Studio
○ How to read the dashboard
definition
○ How to achieve common Classic
use cases in Dashboard Studio
3) Demo
4) Roadmap
5) Q&A

Put your hand up if…
● You've heard of Dashboard Studio

● You've tried Dashboard Studio (just once counts!)

● You've built multiple dashboards in Dashboard Studio

● You've built multiple dashboards in Dashboard Studio
● You like building with Dashboard Studio

● There are features you need that are missing in Dashboard
Studio

● There are features you need that are missing in Dashboard
Studio
● You just prefer Classic (SimpleXML) dashboards

Dashboard
Studio is the
next generation
of Splunk
dashboards
Designed for intuitive
point-and-click building,
while maintaining
flexibility for advanced
use cases.

Why is Splunk building a new dashboard
framework?
We listened to customers and heard the following about Classic dashboards:
● Hard to get something polished enough for execs or high visibility monitors
● Hard for less technical users to do much beyond the basics
● Easy to get started, but hard to master optimizing dashboards or building
more advanced use cases

© 2019 SPLUNK INC.
Key features Classic
Dashboard
Studio
Data sources
ad-hoc, base and post-process, saved
searches
✅ ✅
Standard charts
axes charts, maps, single values
✅ ✅
3rd party visualizations ✅ ❌
Inputs ✅ ✅
Interactivity
link to other pages, set and pass tokens
✅ ✅
Tokenization
eval, set, condition; search-based tokens
✅ ✅
logic can be included
in SPL
Sharing
scheduled email export, export to CSV
🚧
scheduled export,
limited csv export
🚧
png/pdf export
csv export
Classic
vs.
Studio
As of Splunk Cloud
9.0.2303
See release notes

New
paradigms
in
Dashboard
Studio

First we need to understand how the dashboard
definition is structured
Every dashboard has:
● title
● description
● dataSources
● visualizations
● defaults
● inputs
● layout

dataSources
● Data sources include ad-hoc
searches, base and chain
searches, and saved searches
○ Chain searches are easier to configure
now too!
"ds_fWuYtYEz": {
"type": "ds.search",
"options": {
"query": "index=tutorial
action=purchase status=200 | stats
count(productName) as "Quantity"
values(price) as Price by productName,
clientip, categoryId | eval
Revenue=Quantity*Price"
},
"name": "Purchases"

now too!
● Data sources are now
independent from visualizations
and inputs
○ This means that data sources can be
referenced by multiple visualizations
and inputs
dataSources
"ds_fWuYtYEz": {
"options": {
},
"name": "Purchases"

dataSources
now too!
● Data sources are now
independent from visualizations
and inputs
○ This means that data sources can be
referenced by multiple visualizations
and inputs
● Data sources are identified by a
unique identifier (e.g.
"ds_fWuYtYEz": {
"options": {
},
"name": "Purchases"

visualizations
● Visualizations reference data
sources via data source ID
○ Secondary data sources may be added
for annotations or field summaries for
Events Viewer viz
"viz_LcdCtHCD": {
"type": "splunk.singlevalue",
"dataSources": {
"primary": "ds_lRYLqjC2"
},
"title": "Total unique customers",
"options": {
"majorValue": "> sparklineValues | lastPoint()",
"trendValue": "> sparklineValues | delta(-2)",
"sparklineValues": "> primary |
seriesByName('customers')"
}
}

visualizations
● Visualizations reference data
sources via data source ID
○ Secondary data sources may be added
for annotations or field summaries for
Events Viewer viz
● Visualizations allow for more
flexibility in what from the data
source is displayed
○ sparklineValues
○ majorValue
○ trendValue
"viz_LcdCtHCD": {
"type": "splunk.singlevalue",
"dataSources": {
"primary": "ds_lRYLqjC2"
},
"title": "Total unique customers",
"options": {
"majorValue": "> sparklineValues | lastPoint()",
"trendValue": "> sparklineValues | delta(-2)",
"sparklineValues": "> primary |
seriesByName('customers')"
}
}

defaults
● Set options once to apply to
multiple data sources or
visualizations
○ Data source time range
○ Visualization options
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "0",
"earliest": ""
}
}
}
},
"visualizations":{
"global":{
"showProgressBar": true
},
"splunk.singlevalue":{
"backgroundColor":"#ffffff"
}
},
"tokens": {
"default": {
"customer": {
"value": "*"
}
}
}

defaults
visualizations
● Defaults can be set at a global or
type-specific level
○ Global: showProgressBar
○ Single values: backgroundColor
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"latest": "0",
"earliest": ""
}
}
}
},
"visualizations":{
"global":{
},
}
},
"tokens": {
"default": {
"customer": {
"value": "*"
}
}
}

defaults
visualizations
● Defaults can be set at a global or
type-specific level
○ Global: showProgressBar
○ Single values: backgroundColor
● Specify default token values
○ Except input defaults, which are set in
the inputs section
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"latest": "0",
"earliest": ""
}
}
}
},
"visualizations":{
"global":{
},
}
},
"tokens": {
"default": {
"customer": {
"value": "*"
}
}
}

New paradigms in Dashboard Studio
1. Data sources are independent from inputs and visualizations, and you
can specify what from the data source is displayed in the visualization.
This means you can possibly use fewer searches that return more fields, for
reuse by multiple visualizations. This can help with performance and
resource utilization.

New paradigms in Dashboard Studio
1. Data sources are independent from inputs and visualizations, and you
can specify what from the data source is displayed in the visualization.
This means you can possibly use fewer searches that return more fields, for
reuse by multiple visualizations. This can help with performance and
resource utilization.
2. You can reference search results and metadata directly as tokens.
This means you can move tokenization logic into a search, and set search
results as token values.

© 2021 SPLUNK INC.
© 2023 SPLUNK INC.
How to achieve common Classic
use cases in Dashboard Studio

© 2021 SPLUNK INC.
© 2023 SPLUNK INC.
Use case 1: token manipulation

Classic (Simple XML) example
Let's consider how we might set search results as tokens in a Classic
dashboard:
<search>
<query>...</query>
<done>
<set token="user_error">result.UserError</set>
<set token="server_error">result.ServerError</set>
</done>
</search>
This requires manual source code editing and setting multiple token values.

Dashboard Studio example
In Dashboard Studio, you just need to select
"Use search results or job status as
tokens"
Then reference results using the format
$datasource name:result.<fieldname>$
Examples:
● $Interaction status:UserError$
● $Interaction status:ServerError$
No manual source code editing required, no
additional token logic to define.

© 2021 SPLUNK INC.
© 2023 SPLUNK INC.
Use case 2: show/hide panels

Let's consider how we might show/hide panels in a Classic dashboard:
● Specify logic to set and unset a token
● Add a "depends" to the desired visualization to display when the token set
and hide when unset
This requires manual source code editing and possibly adding unset logic to
multiple places in the dashboard.

In Dashboard Studio, you just need to select
"When data is unavailable, hide element"
● For many use cases, this is likely all you
need
● For more complex use cases, you can set
up your search so that it does not return
results when you want to hide the
element
No manual source code editing required, no
additional token logic to define.

© 2021 SPLUNK INC.
© 2023 SPLUNK INC.
Use case 3: visual design

Let's consider how we might apply visual designs in a Classic dashboard:
● Custom JS
● Custom CSS
● Custom HTML panels
This requires higher technical skills, bundling .js and .css with your app, and
manual source code editing.

In Dashboard Studio, you just need
to
● Point-and-click support to edit
layout, size, and layering of
objects
● Add images via upload or URL
reference
○ Use images to add corporate logos
○ Use images to layer metrics on top
● GUI for changing colors, adding
markdown, and other styling

What's next for Dashboard Studio?
Advanced
interactivity +
layouts
Show/hide panels,
tabbed dashboards,
token logic builder
Ease of use
improvements
UI for all key options
and workflows,
templates,
grouping + layering
objects
More sharing
options
Export to .json, .html,
easier image export,
scheduled email
export
Classic to
Studio
conversion
Automated
conversion, post
conversion report
Subject to change

About CSV lookups
● Splunk provides handy CSV lookups.
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ConfigureCSVlookups
CSV lookups match field values from your events to field values in the static table represented by a CSV file. Then they output
corresponding field values from that table to your events

How do I add lookups to Splunk?
1. Run a Splunk search that has the data and use outputlookup
index=animal_data | outputlookup ug_demo.csv
2. Use Settings -> Lookups -> Add New

How do I add lookups to Splunk? (continued)
3. Use the Splunkbase lookup editor https://splunkbase.splunk.com/app/1724
App provides endpoint to upload lookups that is search head cluster aware. You can upload
once and store on all heads in your search head cluster!

But how do we upload CSV via the command line?
● Splunk community user mthcht created a Python 3 script to upload a directory
of lookup files to Splunk
https://github.com/mthcht/lookup-editor_scripts
● The upload script enumerates all files in a given directory
● For each file
○ Opens and reads the lookup file into memory
○ Sends a POST request to the Splunk server/management port using the endpoint
/services/data/lookup_edit/lookup_contents with the contents of the file in
json format

My modifications
● https://github.com/beckyburwell/splunk_rest_upload_lookups
splunk_rest_upload_lookups.py splunk_head_url lookup_file splunk_app
● Copied mthcht uploads script as follows
○ Modified it to upload a single lookup file, not a directory of lookups
○ Let the user pass in the Splunk host URL and long with management port
○ Pass in the name of one lookup file
○ Pass in the name of the Splunk app to upload to
○ Changed the hard-coding of the Splunk username and password to prompt the user

Script demo
$ cat ~/ug_demo.csv
animal,color
"cat","tabby"
"dog","black"

How to make more useful?
● Use in script:
○ Script prompts for Splunk admin and password
○ Change that to a secure way of obtaining the credentials; don’t prompt for username/password

Notes on Permissions
● In order to use the script, the user needs to be able to store knowledge
objects into the app
● By default, the search app is only writable to power and admin
● Users should upload to an app they have access to

Summary of Requirements
● Access to Python 3
● Splunk Lookup Editor installed on Splunk search heads
● User access to the app you want to store the lookups in

Acknowledgements and Thanks
● Thanks to community user mthcht
● Thanks to my colleague Paras Jain, who tested my script and gave me
feedback

© 2019 SPLUNK INC.
Title and Content
Phasellus et nisi lacus, mauris ultricies arcu faucibus orci sit
Donec fermentum sollicitudin neque, nec viverra neque lacinia eu
Donec mattis tortor vitae egestas pulvinar
• Vivamus eu dignissim turpis
Nunc eu cursus est, at ullamcorper dui
Optional subtitle

SFBA Splunk Usergroup meeting May 3, 2023

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SFBA Splunk Usergroup meeting May 3, 2023

Similar to SFBA Splunk Usergroup meeting May 3, 2023 (20)

More from Becky Burwell

More from Becky Burwell (13)

Recently uploaded

Recently uploaded (20)

SFBA Splunk Usergroup meeting May 3, 2023