Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Making Pretty Charts in Splunk

44,760 views

Published on

Splunk Users' Conference 2010 session: how to effectively use Splunk to create compelling charts

Published in: Technology
  • Be the first to comment

Making Pretty Charts in Splunk

  1. 1. Building pretty charts
  2. 2. Johnvey Hwang Splunk Inc.
  3. 3. Agenda <ul><li>Prep </li></ul><ul><li>Visualize </li></ul><ul><li>Build it </li></ul><ul><li>Automate </li></ul><ul><li>Polish </li></ul>
  4. 4. Q: Why are you making a chart? COMM153: Business Graphics, Fall 2010, Midterm exam
  5. 5. GraphJam.com
  6. 6. Step 1: Prep
  7. 7. What data is available?
  8. 8. Who is going to read it?
  9. 10. Decision Step 2: Visualize
  10. 12. Finished NOC dashboard
  11. 13. Tables are sexy.
  12. 14. Q2 Revenue $17.5B So are numbers.
  13. 15. Column chart
  14. 16. Line chart
  15. 17. Line chart (split)
  16. 18. Area chart (100% stacked)
  17. 19. Is ‘ Georgian ’ half or a third of ‘ Hawaiian ’? Is this linear, geometric, or exponential? Pie charts suck
  18. 20. Pie chart remedy
  19. 21. Trending is better Pulse = 90 vs.  
  20. 22. Time range: real-time Requires immediate response 30 second – 1 hour window
  21. 23. Time range: historical Multiple day – month window Time to respond is in weeks or months
  22. 24. Step 3: Build it
  23. 25. Report builder
  24. 26. Advanced charting view See search box and chart on one page
  25. 27. Search language: overview index=main error datacenter=SFO | timechart avg(bytes) by host event search clause transforming clause Over 100 search commands…
  26. 28. The dataset _time _raw host field1 18283495832 2010-08-10 08:52:01 ERROR: something went wrong on server Prod_apache_1 ERROR 18383827123 2010-08-10 08:52:01 INFO: redirect to a better page Prod_apache_2 INFO
  27. 29. Search language: timechart … | timechart span=1h count “ count the number of events per hour” … | timechart avg(delay) by host “ calculate the average delay and track each host separately” … | timechart avg(delay) min(delay) max(delay) “ calculate the average, minimum, and maximum delays per auto-bucket”
  28. 30. Search language: timechart index=_internal | timechart count by group
  29. 31. Search language: top … | top limit=50 users “ list the top 50 users” … | top major_version, minor_version “ list the top (10) combinations of major and minor versions” … | top source by host “ list the top sources grouped by most frequent host”
  30. 32. Search language: top index=_internal source=&quot;*access.log&quot; | top uri_path | fields uri_path count
  31. 33. Search language: chart … | chart avg(delay) by sender “ list the average delay for every sender” … | chart max(bytes) over clientip by uri useother=f “ list the maximum bytes of the top ‘uri’ for every ‘clientip’”
  32. 34. Search language: chart index=_internal source=&quot;*access.log&quot; | chart avg(bytes) by clientip
  33. 35. Search language: ctable … | ctable clientip http_status “ list every combination of ‘clientip’ and ‘http_status’ and their freqencies” … | ctable clientip http_status maxcols=10 “… restrict to a max of 10 http_status columns’”
  34. 36. Search language: ctable index=_internal source=&quot;*access.log&quot; | ctable clientip status maxcols=10 maxrows=10
  35. 37. Search language: more stats : average, min, max, stdev, distinct count, mode, variance,… streamstats : calculate running statistics up to current event rangemap : bucket results into ranges like ‘low’, ‘medium’, ‘high’ kmeans : partition results into k-means clusters trendline : calculate moving averages accum : creates a new field of running total of any field
  36. 38. Step 4: Automate
  37. 39. Schedule it <ul><li>Let Splunk run the search on your behalf </li></ul><ul><li>View results immediately </li></ul><ul><li>Avoid unnecessary server load </li></ul><ul><li>Receive automated alerts </li></ul>
  38. 40. Assemble dashboards
  39. 41. Step 5: Polish
  40. 42. What can you change? View CSS Chart properties
  41. 44. Custom CSS 1. Add custom CSS files to the app: $SPLUNK_HOME/etc/apps/<APP_NAME>/appserver/static/<FOO>.css 2. Restart splunkweb (only on first create) 3. Add to view: <view stylesheet=“FOO.css”> 4. Save to: $SPLUNK_HOME/etc/apps/<APP_NAME>/default/data/ui/views/<NAME>.css
  42. 46. Charting properties Hundreds of different properties available Ex: Common property to change tick label visibility: charting.primaryAxis.majorLabelVisibility = hide Ex: Area chart type-specific series stacking mode: charting.AreaChart.stackMode = stacked100 Ex: Common legend label width: charting.legend.labelStyle.maximumWidth = 500
  43. 48. Simple XML form <dashboard> <label>My dashboard</label> <row> <chart> <searchName>My saved report</searchName> <option name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </option> <option name=&quot; charting.legend.placement &quot;> top </option> </chart> </row> </dashboard>
  44. 49. Advanced XML form ... <module name=&quot;HiddenChartFormatter&quot;> <param name=&quot; charting.seriesColors &quot;> [0xFF0000,0xFFFF00,0x00FF00] </param> <param name=&quot; charting.legend.placement &quot;> top </param> <module name=&quot;FlashChart&quot; /> </module> ...
  45. 50. More help Charting reference documentation http://www.splunk.com/base/Documentation/latest/Developer/AdvancedCharting http://www.splunk.com/base/Documentation/latest/Developer/ChartReference Splunk community Q&A site http://answers.splunk.com Edward Tufte - “Father of data visualization” http://www.edwardtufte.com Blogs for inspiration http://infosthetics.com http:// smashingmagazine.com Demo material http://blogs.splunk.com/author/johnvey/

×