Dashboards & Visualizations

How to get this feature into chart from snort statistics dashboard?

wuming79
Path Finder

Hi,

May I know what does the circled field call? How can I add this to my report in dashboard?

alt text

Tags (2)
0 Karma
1 Solution

niketn
Legend

Following are couple of options with Simple XML.

Option 1
You can display the time when the Panel was loaded with timestamp, refer to the following example. Relative elapsed time is not displayed (if you are fine with hovering over the panel to see the same which is built in by default)

  <row>
    <panel>
      <html>
        <style>
          div.load-time-right{
            text-align:right;
          }
        </style>
        <div class="load-time-right">Loaded at: $tokLoadTimeEpoch$</div>
      </html>
      <chart>
        <title>Pie Chart</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <eval token="tokLoadTimeEpoch">strftime(now(),"%c")</eval>
          </done>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>

Option 2
alt text

For computing the elapsed time you would need an event to be fired which would compare current time with the panel load time printed above. Which is already built in to Splunk with mouse hover (which displays the elapsed time since the time Panel has been loaded towards bottom right). If not an event you might have to consider a search query which refreshes itself periodically. Following is a run anywhere search which should work in Splunk 6.5 onward. I have used hidden Single Value panel to refresh every 30 sec to compute the relative elapsed time compared to panel load time.

  <row depends="$alwaysHideSingleValuePanel$">
    <panel>
      <single>
        <search>
          <query>| makeresults
          | eval _time=$tokLoadTimeEpoch$
          | reltime
          | eval Time=strftime(_time,"%+")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
          <done>
            <set token="tokLoadTimeRelative">$result.reltime$</set>
            <set token="tokLoadTimeString">$result.Time$</set>
          </done>
        </search>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <style>
          div.load-time-right{
            text-align:right;
          }
        </style>
        <div class="load-time-right">Panel Loaded on: $tokLoadTimeString$ ( $tokLoadTimeRelative$ )</div>
      </html>
      <chart>
        <title>Pie Chart</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <eval token="tokLoadTimeEpoch">now()</eval>
          </done>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

wuming79
Path Finder

Thanks nikenilay!!!

0 Karma

niketn
Legend

Following are couple of options with Simple XML.

Option 1
You can display the time when the Panel was loaded with timestamp, refer to the following example. Relative elapsed time is not displayed (if you are fine with hovering over the panel to see the same which is built in by default)

  <row>
    <panel>
      <html>
        <style>
          div.load-time-right{
            text-align:right;
          }
        </style>
        <div class="load-time-right">Loaded at: $tokLoadTimeEpoch$</div>
      </html>
      <chart>
        <title>Pie Chart</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <eval token="tokLoadTimeEpoch">strftime(now(),"%c")</eval>
          </done>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>

Option 2
alt text

For computing the elapsed time you would need an event to be fired which would compare current time with the panel load time printed above. Which is already built in to Splunk with mouse hover (which displays the elapsed time since the time Panel has been loaded towards bottom right). If not an event you might have to consider a search query which refreshes itself periodically. Following is a run anywhere search which should work in Splunk 6.5 onward. I have used hidden Single Value panel to refresh every 30 sec to compute the relative elapsed time compared to panel load time.

  <row depends="$alwaysHideSingleValuePanel$">
    <panel>
      <single>
        <search>
          <query>| makeresults
          | eval _time=$tokLoadTimeEpoch$
          | reltime
          | eval Time=strftime(_time,"%+")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
          <done>
            <set token="tokLoadTimeRelative">$result.reltime$</set>
            <set token="tokLoadTimeString">$result.Time$</set>
          </done>
        </search>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <style>
          div.load-time-right{
            text-align:right;
          }
        </style>
        <div class="load-time-right">Panel Loaded on: $tokLoadTimeString$ ( $tokLoadTimeRelative$ )</div>
      </html>
      <chart>
        <title>Pie Chart</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <eval token="tokLoadTimeEpoch">now()</eval>
          </done>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@wuming79, this feature is built in to Splunk on mouse hover over the panels. However the position of Panel Load time is towards bottom right in the latest Simple XML. If you want the same on Top Right, you might have to use Splunk JS Stack: http://docs.splunk.com/DocumentationStatic/WebFramework/1.4/compref_wrapper.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wuming79
Path Finder

Hi, how do I actually instantiate a Chart element wrapper in an HTML dashboard? How do I get into html dashboard mode?

0 Karma

niketn
Legend

You can do this with Simple XML as well as HTML Dashboard. However, you would need to be aware of Splunk Web Framework (documentation link provided above).

In case you want to achieve something similar with without using Splunk Web Framework you can use HTML panel with CSS styling to achieve something similar. I will try to post an example later today, when I get a chance (unless someone beats me to it :))

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

wuming79
Path Finder

I found this. http://dev.splunk.com/view/webframework-developapps/SP-CAAAEM2
So...to go to html dashboard, I need to select edit from the dashboard I want to edit and select convert HTML?

0 Karma

niketn
Legend

Yes you can Convert to HTML, however, you should know pros and cons of using HTML dashboard and make your decision based on your comfort level. By the way the elapsed time display whether built in to Simple XML or HTML or through Web Framework, it will be displayed only on mouse hover. You would still need to do further JavaScript changes to always display the elapsed time. I have added the option to achieve the same using Simple XML. Please see if it fits your need. The overhead of showing elapsed time without user intervention (like mouse hover) would be that there will be refresh (periodic query) required. Please check out the run anywhere dashboards.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...