Hi Daniel, 1b metrics per second sounds a lot higher than most use cases I've seen so far, and would require a significant investment into indexers. It would be helpful if you could shed a bit more light on your use case and collectd set-up (collection frequency etc) to also look at some of your alternatives and options.
... View more
Splunk acts as both server and backend in this instance. In 7.0, you would send metrics directly to Splunk, without summarizing with a statsd server first.
Alternatively, you can configure a custom sourcetype to parse the graphite plaintext protocol. This would allow you to use the same configuration having the statsd server send summarized metrics to Splunk. This is described in as an example for custom source types in http://docs.splunk.com/Documentation/Splunk/7.0.0/Metrics/GetMetricsInOther#Example_of_configuring_field_extraction
... View more
Try using the limit parameter:
source="tem.log" sourcetype="Temp"
| timechart avg(Duration) by WorkName limit=200 useother=f
That should give you 200 separate series. One thing to consider is that there's a limit of 100 series visualized at once in a line/area chart. One way around this is to use the Trellis function if you use Splunk 6.6. That would create a separate graph for each of the 200 series that you can page through.
If you want to go down the dropdown route I'd recommend setting up a dashboard that has
a dropdown form input (e.g. populated by source="tem.log" sourcetype="Temp" | stats count by WorkName )
The visualization where you use the token from the form input to filter the visualization,
like so:
source="tem.log" sourcetype="Temp"
| where WorkName="$WorknameTokenFromFormInput$"
| timechart avg(Duration) by WorkName
... View more
If you are running Splunk 6.4 or higher, you can use the Location Tracker app, which is a supported Custom Visualization. After you install the app, you can select it in the visualization picker along with other installed visualizations.
... View more
The query above is logically correct but seems to have a typo; here's the corrected query:
sourcetype=vendor_sales VendorID < 4000 | chart count by VendorStateProvince | geom geo_us_states featureIdField=VendorStateProvince
uses featureIdField instead of featuredField
... View more
If you refer to this visualization, that's an app built by a Splunk employee in his spare time and not an officially supported app. Your best guess is to contact him directly. I'll make sure to point him to this question.
As for browser compatibility, Splunk lists supported browsers in the documentation for each release. IE10 is not supported anymore since version 6.4.
... View more
I recently updated the app to work with Splunk 6.5. It’s available on Splunkbase https://splunkbase.splunk.com/app/2893. Would you be able to review if it works for you now?
... View more
Hi everyone, we don't have an ETA for this yet, but feel free to send me an email, so I can let you know when there an update is in the works.
... View more
Without testing it I think you don't need the by MarketName in the end, since the clustering is already done through the lat/lon combination.
I'm also not sure if two aggregations would work here. Try with one first, and see if it works. Then add the second:
... | lookup country_lookup Country as MarketName,OUTPUT Latitude,Longitude | geostats latfield=Latitude longfield=Longitude values(NewAccounts)
... View more
We don't currently support feature IDs from tag attributes. Your best bet is probably to do a manual Regex search & replace directly in the XML.
Something like this
Search: <Placemark id="(ID_[0-9]+)">
Replace: <Placemark><name>$1</name>
Hacky, but should do the trick.
Since the ID is inside the name tag, Splunk will pick it up automatically and you won't even have to set the feature_id_element for the KMZ
... View more
In order for custom visualizations to be available throughout Splunk, you have to set visibility/permissions to "global". In order to do this, select "Permissions" in the App Management menu and change the permissions to "All apps"
Alternatively, there is a standalone app, provided by a member of the Splunk community, which has more features than the one included in the Dashboard Examples app: https://splunkbase.splunk.com/app/3212/
... View more
Question 1 (Single Value)
At this moment it's not possible to dynamically create Single Value visualizations (or dashboard panels in general). You'll have to manually create a Single Value for each row, adjusting the query for each. You could do that with a query like so:
| inputlookup your_lookup.csv | streamstats count as row_number | where row_number = 1 | fields - row_number
| inputlookup your_lookup.csv | streamstats count as row_number | where row_number = 2 | fields - row_number
| inputlookup your_lookup.csv | streamstats count as row_number | where row_number = 3 | fields - row_number
etc.
Question 2 (Dashboard tabs)
Create your own app with any resources you need (as opposed to using the Search & Reporting app). In your app you can create a $SPLUNK_HOME/etc/apps/your_app_name/default/data/ui/nav/default.xml file, as described in http://dev.splunk.com/view/webframework-developapps/SP-CAAAEP9
... View more
Unfortunately that's not possible in the current version. The layout is determined automatically.
It's hard to see in the screenshot what you are using the Sankey Chart for. Could you elaborate on your use case? This could make it into a future update.
... View more
Splunk 6.3 introduced Choropleth maps, which produce the map similar to the one shown above. See the Splunk user documentation or this blog post for more details
... View more
That seems right providing that other geoshapes are permissioned to be seen by all users.
Try the reverse. Logging in as another user (not admin) and see if you can see the lookup you created
... View more
you're on the right track.
Again, instead of using stats and geom it will be enough for you to do this:
sourcetype=earthquakes
| lookup geo_SchoolCompound latitude longitude OUTPUT featureId
| featureId=*
This filters out any event not in the geofence
... View more
Thanks! Glad you liked it!
The lookup file creates a .kmz file. You can open it with GIS apps like Google Earth to review the coordinates.
As far as performance goes, the lookup is fairly performant and shouldn't pose much of a burden on your resources, contingent upon the magnitude of events of course.
... View more
Assuming the lookup you chose is called geo_my_shapes , the search for geofence looks something like this:
...
| lookup geo_my_shapes latitude longitude OUTPUT SchoolCompound
| featureId=*
If the result is not empty (> 1 line) that means the geofence "fired", and at least 1 event was within the fenced area. You could then trigger an alert based on that exact search.
... View more
Based on your comment, it looks like Splunk doesn't parse the latitude correctly where you have a + in your field. Try the following query that strips away the +
... | rex field=DeviceLocation "\+?(?<latitude>[0-9.-]*)/\+?(?<longitude>[0-9.-]*)" |geostats latfield=latitude longfield=longitude count
... View more