Charts

Splunk's inbuilt visualization has many types of inbuilt charts such as an area chart, a line chart, bar chart, column chart, pie chart, scatter chart, bubble chart, and so on. Inbuilt visualization can be used depending on the commands used and the type of data. Depending on the data and commands, Splunk shows the recommended type of charts, but users can choose the chart type according to their requirement and suitability to depict information.

Charts – Coloring

The general formatting options for charts are defining a legend and its positioning, custom title for x and y axis, defining the interval, min values, and max values for the charts which are present in the Format option. The chart's Format option doesn't provide users with the option to change the color of the charts and their background.

We will now see how to use custom CSS and JS and how colors of charts and their background can be customized.

Our search query is as follows:

index=* | chart count by sourcetype

The chart type used for the result of the preceding search query is a pie chart, and the output is as follows:

Charts – Coloring

Now, the XML file of the dashboard can be added with the following markup options to make the necessary changes:

  • To change the background color of the chart, the following markup option is to be added with the required color in the HTML format:
    <option name="charting.backgroundColor">#D9EFF1</option>
  • To change the foreground color, use the following line of code:
    <option name="charting.foregroundColor">#9A5E2C</option>
  • To change the font color (axis labels, legends), use the following line of code:
    <option name="charting.fontColor">#9A2C2C</option>
  • To change the color to be used in the chart, the following syntax can be used to specify the series of colors:
    <option name="charting.seriesColors"> [0xF1F815,0xC2D1E0,0xF4F797,0xFEE000,
0xFECF00,0xC69D2D,0xED8107,0xED6A07,0xF25805,0xFF9360]</option>

The following will be the output after adding the preceding code. The important point to note here is that the preceding formatting is applicable for all types of charts in the visualization section:

Charts – Coloring

Chart overlay

Splunk provides an inbuilt functionality to define a field that can be used as an overlay on charts. Chart overlays can be used to show bounds/limits in data using a line chart in a bar chart. Using chart overlays, dual axis charts can be made in Splunk. Let's understand this through an example. Our search query is as follows:

|inputcsv webserver.csv | eval _time=strptime (date, "%e-%b-%y") | table _time Visitors LoginFailure LoginSuccess

The output of the preceding search query will be a simple table having fields as time, Visitors, LoginFailure, and LoginSuccess with their respective values.

The following are the steps to enable chart overlay from the Visualizations tab of the Splunk Web console:

  1. On the top-right corner of the panel that has respective visualization in which overlay is to be added, click on the Format option (the icon with a paint brush).
  2. Navigate to the Chart Overlay section of the Option menu.
  3. In the Overlay field, specify the field name that is required to be used as a line (overlay) in the chart, and then, the view on the Axis option can be set on.

Now, in the following output, the Visitors field is used as chart overlay from the Format options. Here, the website's visitor data is used and the respective bars show LoginFailure and LoginSuccess, and the line chart over it shows the number of visitors. So, in the same chart, on the basis of the number of visitors, the number of login failures and success can be found out:

Chart overlay

Bubble charts

According to Wikipedia, a bubble chart is a type of chart that is used to display three dimensions of data in one single chart. In the Splunk Visualization list, a bubble chart is not available, but using D3 extension, it can be implemented in the Splunk dashboard.

Bubble chart visualization allows us to plot the magnitude of specified fields as the size of the bubble along with categorizing the fields using different colors for each field.

Let's understand how to implement a bubble chart in the Splunk dashboard with the help of an example.

Our Splunk query is as follows:

 |inputcsv bubble | stats count by UserID Transaction

The output of the preceding search query in a statistical format will be as follows:

Bubble charts

The bubble chart of the preceding statistical output is as follows. Looking at the following visualization, it can be clearly said that a user (user321) purchased six products, added four products in the wish list, logged in five times, and then logged off. Similarly, the bubble chart can be used to make visualizations to derive such insight from the data:

Bubble charts

The following are the customizations and scripts to be added to convert the preceding tabular statistical output in bubble chart visualization. We will be using a D3 extension to implement a bubble chart in the Splunk dashboard:

  1. First, download Splunk App Custom Visualizations from the Splunk App store, which has the important JS and CSS files required to implement bubble chart visualization.
  2. Then, copy the bubblechart directory from the downloaded app's components folder to the respective app's static directory in which the bubble chart is to be implemented.

    For instance, in our example, all files from the $SPLUNK_HOMEetcappscustom_vizsappserverstaticcomponentsubblechart directory are copied to the bubblechart directory of the search app located at $SPLUNK_HOMEetcappssearchappserverstaticcomponents.

Now, once the preceding D3 JS and CSS files are in place and Splunk is restarted, we can implement the bubble chart in the respective dashboard,

  • Creating an HTML element in a simple XML dashboard and
  • Referencing dashboard to use autodiscover.js:
    <dashboard script="autodiscover.js">

The following is the code that implements bubble chart visualization in the dashboard, and here, we have marked the important things that need to be changed as per the requirements:

Bubble charts

The important points to be modified in the preceding HTML content of the simple XML are as follows:

  • The div id and managerid values should be referenced correctly to make sure that the search and fields are properly mapped. This is very important, and in case of discrepancies in this ID, the result will not be loaded on the dashboard.
  • The search query should be replaced according to the required result in the bubble chart.
  • The data-require parameter should be properly referenced to the path containing bubblechart.js, bubblechart.css, and bower.json.
  • nameField, categoryField, and valueField should be properly referenced with the field names of the output of the search query that we've already specified.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.42.208