  • Welcome!
  • Intro
  • There are 5 main steps you generally go through before you can have a meaningful and pleasing chart. Today we’re going to cover all 5 steps in Splunk. But before that, can you answer the obvious question…
  • Do you actually have a reason for making a chart? What is the desired outcome? -- want some business intelligence? -- need to monitor something? -- or just for the hell of it? If you don’t know…
  • Might I suggest -- can make lots of different charts -- can share them with friends -- can use pretty colors At least have a purpose in mind.
  • Step 1: do you prep work. -- due-diligence -- mis-en-place The right questions can make your charting easier.
  • Question #1: what data do you have at your disposal? -- Splunk can index anything -- any text, stream, file, packet, script Who owns the data? Are you going to have to ask permission?
  • Question #2: Who is going to read it? -- Consider your audience when picking data to display. -- Technical staff generally want detailed information. -- Your boss may not. What is the reader going to do with it? -- make business decisions -- incidence response -- feel good -- look at pretty pictures -- be able to assign blame There was a story about a potential customer who was so excited about Splunk, threw everything at it. Then tried to discover who was to blame for a current production problem. Found out it was his friend. Radio silence. Splunk was that good.
  • Think about what what format you want. More importantly, what will the caption be? You may end up a a slave to a less than desirable format if you just wing it. This chart: General Stanley McChrystal declared that "When we understand that slide, we'll have won the war" at a briefing in Kabul last summer Does not reflect well upon you.
  • One way to visualize is to think about the big picture first.
  • This is an example VP-level dashboard built entirely in Splunk * 60-day period * Shows medium-term trending; influences business decisions * dashboard.html template * custom view-specific CSS * HiddenSavedSearch module * HiddenChartFormatter module * SingleValue module
  • This is a real-time dashboard intended for a NOC situation -- everything is on a 30-second window -- shows info that people may need to react to quickly I’ll cover both of those examples later in the talk.
  • Note that both previous examples used tables! -- “visualization” doesn’t really just mean charts -- tables can be far more efficient at displaying certain kinds of data than charts
  • Even simpler are single numeric values -- Apple’s Q2 revenue for example -- if context is well known, there’s no need to complicate matters with “chartjunk”
  • OK, so on to charts. These are all native chart types that Splunk can render. I’ll be brief; I want to highlight how you match chart types to data. The column chart: -- great for inspecting discrete data -- can easily compare single value series on common axis -- identify trends
  • The line chart: -- great for comparing multiple series -- compare on similar Y-axis
  • Split line chart: -- variant of the line series -- great for when trending of individual series is wildly different
  • The area chart -- use to track multiple series in relationship to each other -- in 100% form, very quickly see proportional changes over time
  • The pie chart: do not use. -- cannot compare 2 slices together easily -- no common point of reference -- cannot determine distribution
  • A column chart lets you actually see the data on comparable terms -- ‘Georgian’ is more than half the value of ‘Hawaiian’ -- "The only worse design than a pie chart is several of them.“ – Edward Tufte You can see the trend among data (in this case it’s exponential). Why is trending important?
  • Example: -- in basic medical triage you must always record vitals over time -- walking into ER and only saying your pulse is 90 is useless -- you need to know if it’s rising or falling, or stable So what are you trending over? Well Splunk likes time…
  • We’re going to focus on time-based ranges and the main modes of trending: Real-time: -- still one of the coolest things about splunk -- even if you know nothing about the data, it’s still cool to see stuff come in real-time What is it good for? -- things that require immediate response -- when you only need to see at most an hour of content; 30 seconds is also useful Examples: -- network operations -- security operations -- just in time operations
  • The flip side is historical; what people typically expect What is it good for? -- making business decisions based on data -- 7, 30 day moving trends Examples: -- infrastructure planning -- bandwidth usage -- peak/off-peak tracking
  • Finally! We cover the tools in Splunk that can make effective charts.
  • How many people are familiar with the report builder? The standard report builder is accessible from the search interface -- you can start charting searches that are still in flight -- easy dropdown-based chart building -- handles simple cases
  • How many people are familiar with the advanced charting view? Advanced charting is where most of us like to chart -- direct access to the search language -- tabular view below -- has common set of charting controls
  • The search language is inspired by the UNIX command line -- typically the first command is assumed to be the ‘search’ command -- any number of commands can be chained together -- there are over 100 search commands that come with Splunk How many people are familiar with the search language? Novice? Intermediate? Advanced? There were a bunch of sessions on the search language (check your preso material if you didn’t attend) I’ll go through some of the workhorse commands used to generate charts…
  • Splunk search results are nothing more than a big table of data -- the event text is copied into the ‘_raw’ field -- it’s just another field in the result set -- if you understand this, you will grasp the search language easily -- the UI depends on underscore fields (which are not displayed) Knowing that this is just a table, you can use search language to transform the results any which way you want
  • This is the heavy hitter for any IT ops commands -- shows you over time what something is doing -- can take any of the stats commands and generate multiple series -- can control the granularity of the bucketing
  • Here is an example of the timechart command that looks at Splunk internal components over time -- uses automatic defaults to determine sensible time buckets
  • The ‘top’ command does what it sounds like -- displays the top values of any field in your results -- can do top n combinations -- can specify how many ordered items to return
  • Display is great when paired with a bar chart, or column -- please don’t use pie charts (will cover that in a bit)
  • This is the generic version of timechart -- behind the scenes, this powers ‘timechart’ -- in essence, plots some function of field A by field B -- like ‘timechart’, you can actually invoke the eval() command
  • This example shows the average bytes transferred over a time period split by client IP addresses -- this is over every piece of data the Splunk knows about -- you can restrict by time window by just setting the time range
  • The contingency table is not a graphical command, but is equally as powerful -- contingency is used very often in statistical analysis: determine if variable X really has an effect on measured property Y -- essentially is a counter: will tally combinations of X/Y
  • Note that the Y is ‘clientip’ and X is ‘http_status’; the numbers in the middle of the table simply show the number of occurences -- you can then apply the heatmap decorator to visually differentiate hotspots
  • There are lots of other commands than can manipulate the data any which way you want.
  • Let Splunk do your dirty work -- automation can alleviate much of the manual labor -- no reason to always check splunk when it can email you
  • Scheduling a saved search is the best practice -- defer work to off-peak hours -- allow multiple users to share results -- have Splunk alert you when certain conditions are met -- receive results via email, RSS plug: customizing and using scripted alerts Plug: monitoring with splunk
  • Assembling multiple saved searches on a dashboard is great for overviews -- use simple dashboard creator -- takes existing saved searches and lets you arrange onto a dashboard -- don’t cram a ton of searches onto a dashboard: use multiple dashboards!
  • The main areas of presentation-layer customizations fall into: -- view-level CSS: full access to override any CSS rules -- chart-level properties: each chart can have its own formatting
  • This is the before picture: -- default CSS -- default charting properties -- uses the standard panels -- uses standard singleValue modules -- uses default charting properties: note the axis labels, legend, colors, etc
  • You can have as many different CSS files on a per-app basis -- each view can reference any CSS file that is available in its app -- not going to cover CSS customization here; plenty of online resources -- recommend Firebug+Firefox or Chrome+Web Inspector
  • After: -- this is simple CSS and charting properties applied -- no other structural changes involved Source is available online
  • There are many different properties you can adjust on a per-chart basis -- these are set in XML configuration -- each property name is hierarchical -- dots are used to denote hierarchy -- --
  • * Add link to advanced XML
  • Promote usability sessions! We’re hiring
