Successfully reported this slideshow.
Upcoming SlideShare
×

# Making Pretty Charts in Splunk

44,760 views

Published on

Splunk Users' Conference 2010 session: how to effectively use Splunk to create compelling charts

Published in: Technology
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

### Making Pretty Charts in Splunk

1. 1. Building pretty charts
2. 2. Johnvey Hwang Splunk Inc.
3. 3. Agenda <ul><li>Prep </li></ul><ul><li>Visualize </li></ul><ul><li>Build it </li></ul><ul><li>Automate </li></ul><ul><li>Polish </li></ul>
4. 4. Q: Why are you making a chart? COMM153: Business Graphics, Fall 2010, Midterm exam
5. 5. GraphJam.com
6. 6. Step 1: Prep
7. 7. What data is available?
8. 8. Who is going to read it?
9. 10. Decision Step 2: Visualize
10. 12. Finished NOC dashboard
11. 13. Tables are sexy.
12. 14. Q2 Revenue \$17.5B So are numbers.
13. 15. Column chart
14. 16. Line chart
15. 17. Line chart (split)
16. 18. Area chart (100% stacked)
17. 19. Is ‘ Georgian ’ half or a third of ‘ Hawaiian ’? Is this linear, geometric, or exponential? Pie charts suck
18. 20. Pie chart remedy
19. 21. Trending is better Pulse = 90 vs.  
20. 22. Time range: real-time Requires immediate response 30 second – 1 hour window
21. 23. Time range: historical Multiple day – month window Time to respond is in weeks or months
22. 24. Step 3: Build it
23. 25. Report builder
24. 26. Advanced charting view See search box and chart on one page
25. 27. Search language: overview index=main error datacenter=SFO | timechart avg(bytes) by host event search clause transforming clause Over 100 search commands…
26. 28. The dataset _time _raw host field1 18283495832 2010-08-10 08:52:01 ERROR: something went wrong on server Prod_apache_1 ERROR 18383827123 2010-08-10 08:52:01 INFO: redirect to a better page Prod_apache_2 INFO
27. 29. Search language: timechart … | timechart span=1h count “ count the number of events per hour” … | timechart avg(delay) by host “ calculate the average delay and track each host separately” … | timechart avg(delay) min(delay) max(delay) “ calculate the average, minimum, and maximum delays per auto-bucket”
28. 30. Search language: timechart index=_internal | timechart count by group
29. 31. Search language: top … | top limit=50 users “ list the top 50 users” … | top major_version, minor_version “ list the top (10) combinations of major and minor versions” … | top source by host “ list the top sources grouped by most frequent host”
30. 32. Search language: top index=_internal source=&quot;*access.log&quot; | top uri_path | fields uri_path count
31. 33. Search language: chart … | chart avg(delay) by sender “ list the average delay for every sender” … | chart max(bytes) over clientip by uri useother=f “ list the maximum bytes of the top ‘uri’ for every ‘clientip’”
32. 34. Search language: chart index=_internal source=&quot;*access.log&quot; | chart avg(bytes) by clientip
33. 35. Search language: ctable … | ctable clientip http_status “ list every combination of ‘clientip’ and ‘http_status’ and their freqencies” … | ctable clientip http_status maxcols=10 “… restrict to a max of 10 http_status columns’”
34. 36. Search language: ctable index=_internal source=&quot;*access.log&quot; | ctable clientip status maxcols=10 maxrows=10
35. 37. Search language: more stats : average, min, max, stdev, distinct count, mode, variance,… streamstats : calculate running statistics up to current event rangemap : bucket results into ranges like ‘low’, ‘medium’, ‘high’ kmeans : partition results into k-means clusters trendline : calculate moving averages accum : creates a new field of running total of any field
36. 38. Step 4: Automate
37. 39. Schedule it <ul><li>Let Splunk run the search on your behalf </li></ul><ul><li>View results immediately </li></ul><ul><li>Avoid unnecessary server load </li></ul><ul><li>Receive automated alerts </li></ul>
38. 40. Assemble dashboards
39. 41. Step 5: Polish
40. 42. What can you change? View CSS Chart properties
41. 44. Custom CSS 1. Add custom CSS files to the app: \$SPLUNK_HOME/etc/apps/<APP_NAME>/appserver/static/<FOO>.css 2. Restart splunkweb (only on first create) 3. Add to view: <view stylesheet=“FOO.css”> 4. Save to: \$SPLUNK_HOME/etc/apps/<APP_NAME>/default/data/ui/views/<NAME>.css
42. 46. Charting properties Hundreds of different properties available Ex: Common property to change tick label visibility: charting.primaryAxis.majorLabelVisibility = hide Ex: Area chart type-specific series stacking mode: charting.AreaChart.stackMode = stacked100 Ex: Common legend label width: charting.legend.labelStyle.maximumWidth = 500
43. 48. Simple XML form <dashboard> <label>My dashboard</label> <row> <chart> <searchName>My saved report</searchName> <option name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </option> <option name=&quot; charting.legend.placement &quot;> top </option> </chart> </row> </dashboard>
44. 49. Advanced XML form ... <module name=&quot;HiddenChartFormatter&quot;> <param name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </param> <param name=&quot; charting.legend.placement &quot;> top </param> <module name=&quot;FlashChart&quot; /> </module> ...
45. 50. More help Charting reference documentation http://www.splunk.com/base/Documentation/latest/Developer/AdvancedCharting http://www.splunk.com/base/Documentation/latest/Developer/ChartReference Splunk community Q&A site http://answers.splunk.com Edward Tufte - “Father of data visualization” http://www.edwardtufte.com Blogs for inspiration http://infosthetics.com http:// smashingmagazine.com Demo material http://blogs.splunk.com/author/johnvey/