All Apps and Add-ons

Splunk app for unix and linux change in functional design.

Lucas_K
Motivator

I'm not really sure where to put this as there really isn't any publicly viewable feedback on apps anymore (is a public discussion about a splunk supported inappropriate for answers.spk?)

We've been playing with the v5.0 version of this app and it seems as if the entire direction of what the app was designed for has changed. From originally unix sys admin focus to a more higher level 'overview' audience?

Perhaps its just the change in the way that the data is displayed (dots vs stock line timechart) but it seems that its actually made it harder to understand what is going on. You can see what is broken at a glance if you've used the colors but its hard to make direct comparisons between machines within your categories/groups.

Screencap for comparison : http://i.imgur.com/GWWynSB.png

I can understand that quite a few of the dashboard options have just been combined into dropdowns (which is good for reducing the number of overall dashboards). I'm pretty sure this could have been done to the v4 version also.

Just wondering what other system admins think of this change.

As it stands I can't see our clients wanting to replace the v4 version entirely with this as functionality is lost. Instead I can envision some sort of hybrid mix of the two.

1 Solution

araitz
Splunk Employee
Splunk Employee

As detailed here, the new *nix app was designed to do the following:

  • Emphasize outliers and exceeded thresholds
  • Improve workflows for investigation
  • Provide actionable indicators
  • Provide basic asset categorization

These goals were based on feedback from users received both before and during development. Your feedback is valuable, too, and we really appreciate it. It is always a risk to try something different, and we had the feeling that not everyone would like it.

When you say things like "functionality is lost", it would help us if you could be more specific or provide more examples. Feel free to email me if you would rather provide more detailed feedback that way.

Let's take your example of the bubble grid versus the traditional line chart. In the bubble grid, there are multiple facets (color and shape) that can be used to distinguish what is going on with your *nix systems. In the screenshot attached, you can clearly see values that are elevated compared to other lanes (outliers) as well as elevated compared to their own lanes (trends).

I am of course biased, but truthfully I have always had a hard time finding anything but the most obvious trends in line charts. I'm color blind and have poor spatial orientation, so I like the simplicity of the bubbles versus the overlapping, multi-colored lines.

One piece of feedback we get from users is "we like this and this, but we won't use that", or the variation "we love the radial graph, but we want to use it for something other than *nix". That's great! You should be able to re-purpose most of the widgets and visualizations if you want to.

If you want standard visualizations such as pie and line charts, check out the built-in search and reporting view in Splunk 6.0, or use the new and improved Simple XML to create your own dashboards.

View solution in original post

routehero2
Engager

I also preferred the look and feel of the old dashboards. It would be a nice feature if there could be a 'Classic mode' in the settings, to give the traditional line charts.

I can conceptually see the value in a bubble grid, but after using line graphs of various sorts (rrd-based), it's a bit foreign to look at the bubbles and feel comfortable.

araitz
Splunk Employee
Splunk Employee

As detailed here, the new *nix app was designed to do the following:

  • Emphasize outliers and exceeded thresholds
  • Improve workflows for investigation
  • Provide actionable indicators
  • Provide basic asset categorization

These goals were based on feedback from users received both before and during development. Your feedback is valuable, too, and we really appreciate it. It is always a risk to try something different, and we had the feeling that not everyone would like it.

When you say things like "functionality is lost", it would help us if you could be more specific or provide more examples. Feel free to email me if you would rather provide more detailed feedback that way.

Let's take your example of the bubble grid versus the traditional line chart. In the bubble grid, there are multiple facets (color and shape) that can be used to distinguish what is going on with your *nix systems. In the screenshot attached, you can clearly see values that are elevated compared to other lanes (outliers) as well as elevated compared to their own lanes (trends).

I am of course biased, but truthfully I have always had a hard time finding anything but the most obvious trends in line charts. I'm color blind and have poor spatial orientation, so I like the simplicity of the bubbles versus the overlapping, multi-colored lines.

One piece of feedback we get from users is "we like this and this, but we won't use that", or the variation "we love the radial graph, but we want to use it for something other than *nix". That's great! You should be able to re-purpose most of the widgets and visualizations if you want to.

If you want standard visualizations such as pie and line charts, check out the built-in search and reporting view in Splunk 6.0, or use the new and improved Simple XML to create your own dashboards.

araitz
Splunk Employee
Splunk Employee

It is worth pointing out that the Unix app is just a first revision. We couldn't do everything we wanted, but we also couldn't get your feedback until we released something. If you want to see some specific interface that we didn't build, or integration with a data source that we didn't include, let us know about it!

0 Karma

araitz
Splunk Employee
Splunk Employee

Core Splunk is already very very good at handling raw data analysis. The alerts view has a "open in search" call to action, and there is a link to the flashtimline view in navigation. Pivot should give Splunk Enterprise 6 users another great interface for root cause analysis.

The app is written using the module system, and thus it is pretty easy to (for example) add a drilldown from the red dot to the search or pivot page, or otherwise customize it. Let me know if we can assist you with that.

0 Karma

yoho
Contributor

If I read the comments (especially from jcoates_splunk), some work has been done under the hood to improve the app but problem is the UI doesn't take advantage of it. It also doesn't take advantage of all the scripts which can be run by the unix app.

Yes there may be people interested in getting a red circle or receiving an alert when CPU is above 90% but I really don't believe you need Splunk for this, any basic monitoring software can do it.

Visualizing your data is nice but being able to drilldown and find the root cause is even more essential. That's what I believe is missing in the new unix app.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, I'd just like to second araitz's comments regarding pivot -- the app's data is fully CIM compliant now, so you don't even have to build a data model; just download this: http://apps.splunk.com/app/1621

0 Karma

araitz
Splunk Employee
Splunk Employee

I'm the more rare blue-yellow color blind, but luckily I am just the guy in charge of development and not design/UX. Another idea would be to create data models in Splunk 6.0 and then use the new pivot view for visualizations, filtering, etc.

0 Karma

Lucas_K
Motivator

Thanks for that.

I think its going to be up to my managers if they think they are looking for this type of display for a slightly different purpose to what they originally wanted.

We'd actually just implemented our own categorisation (at a customer request) within the v4 app based on metadata and eventtypes and then I saw that v5 had come out that very day just as I finished.

The color blind comment surprised me seeing your demo screenshots show red/green dots (I don't know what sort of color blind you are so might not be an issue). Perhaps those can be changed to shapes also.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...