Dashboards & Visualizations

Heatmap in Dashboard

kmattern
Builder

I have a data table panel on a dashboard withthe following search:

sourcetype="PubsCounts-too_small" * |fields account received, authorized, Difference |eval Difference= (authorized-received) | chart values(Difference) as Difference by account

It displays well except that I would like to have a heatmap on the difference column. If I view the results, I can use the heatmap to great effect.

How can I use a heatmap in this search on the dashboard? BTW: It is an inline search.

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

The simplified XML dashboards dont have this ability - you cant do it from the editing UI that you see, nor from editing the simplified XML source.

However the entire simplified XML is just a shortcut layer to the advanced XML syntax. And in the advanced xml this is relatively easy to do.

Converting from the simplified XML to the advanced XML is briefly discussed on this page http://www.splunk.com/base/Documentation/latest/Developer/AdvancedDashboard

however here are the individual steps spelled out:

  1. load your working (simplified XML) view in the browser
  2. tack ?showsource=1 onto the end of the URL
  3. you'll be in a weird page. scroll down. you'll see a huge textarea field full of XML. Copy it into your clipboard
  4. back to your working view.
  5. Actions > edit dashboard
  6. click the little blue link 'Edit name/xml'.
  7. in the form that loads, paste the big nasty advanced xml in there.

converting from a simplified dashboard brings a bunch of weird cruft into the advanced world, but it'll work fine.

Once its converted, getting your heatmap is simply a matter of: finding this line:

<module name="SimpleResultsTable">

and inside that module, ie right under that line, put

  <param name="dataOverlayMode">heatmap</param>

View solution in original post

khourihan_splun
Splunk Employee
Splunk Employee

In Splunk 6.x, you can just edit the dashboard panels and click on the paintbrush icon and select the "heat map" data overlay.

email2vamsi
Explorer

Are you referring to the paintbrush icon on the Table header? or some other place?

0 Karma

sideview
SplunkTrust
SplunkTrust

The simplified XML dashboards dont have this ability - you cant do it from the editing UI that you see, nor from editing the simplified XML source.

However the entire simplified XML is just a shortcut layer to the advanced XML syntax. And in the advanced xml this is relatively easy to do.

Converting from the simplified XML to the advanced XML is briefly discussed on this page http://www.splunk.com/base/Documentation/latest/Developer/AdvancedDashboard

however here are the individual steps spelled out:

  1. load your working (simplified XML) view in the browser
  2. tack ?showsource=1 onto the end of the URL
  3. you'll be in a weird page. scroll down. you'll see a huge textarea field full of XML. Copy it into your clipboard
  4. back to your working view.
  5. Actions > edit dashboard
  6. click the little blue link 'Edit name/xml'.
  7. in the form that loads, paste the big nasty advanced xml in there.

converting from a simplified dashboard brings a bunch of weird cruft into the advanced world, but it'll work fine.

Once its converted, getting your heatmap is simply a matter of: finding this line:

<module name="SimpleResultsTable">

and inside that module, ie right under that line, put

  <param name="dataOverlayMode">heatmap</param>

sideview
SplunkTrust
SplunkTrust

I see. 😃 Well honestly the path of least resistance is probably to install a copy of 4.1 on your laptop briefly, copy over the simplified XML view, and use its showsource=1 to do the conversion and then copy the result back to your instance.

kmattern
Builder

Nick,

I'm using 4.0.10 at present and showsource does not give me any XML. What other options do I have to either generate advanced XML or to get the heatmap some other way?

Ken

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...