Dashboards are popular for measuring and tracking company performance, and they represent a useful way to manage specific metrics that are the best success indicators. A dashboard allows sharing of key information between different departments in a company and can be considered a one-stop place to look at the current state of affairs. A dashboard can pinpoint strengths and challenges; users of dashboard do not have to weed through pages of unnecessary, unmeaningful data. Instead, a dashboard can identify and display data based on advanced analysis. Managers can make well-informed, evidence-based decisions based on the information in a dashboard.
Enterprises are looking to move beyond historical and descriptive data by using forecasting and predictive measures for their decision making. Only a few key metrics should be introduced in a dashboard. Your audience does not want tons of data; they want disciplined thinking and well researched information. It is important to remember that the main objective of a dashboard is communication; you should not distract viewers with elaborate graphics, gauges, and dials. The data in a dashboard should be clean, usable, and integrated in a way that is meaningful to your enterprise.
Chapter 4 ■ Visualizing the results
Splunk provides several ways of creating meaningful dashboards that are built from the searches and visual charts. The easiest way would be using the Splunk Web user interface. We have been using Splunk’s search App to make searches; however, you may not have realized that the search App already has a basic dashboard (Figure 4-30). This provides information about the data loaded into Splunk, the number of events indexed, different sources of data, source types, and the hosts. It gives a holistic snapshot and lets the users take action either by doing drill-downs or by creating searches to find specific data.
Figure 4-30. Splunk Search App Dashboard
Splunk also provides a default collection of five status dashboards, which can be accessed by clicking on the “Status” menu, as shown in Figure 4-31.
The Search activity dashboard provides information about search activities for the Splunk
•
instance. You can see the peak load times for searches, the most popular searches, and so on. The Index activity dashboard provides several useful statistics breakdowns for indexes and
•
index size, utilization of resources such as CPU per index, top five sources that have been indexed in the last 24 hours, and so on.
The Server activity dashboard provides information about recent browser usage, Splunk
•
web errors, and information about how Splunk is performing. Figure 4-32 show a nice server activity dashboard and good usage of Gauge charts to show information about errors, access delays, and uptime. You can control the threshold and range values for the gauge charts to make the data more meaningful.
Figure 4-31. Splunk status dashboards
Chapter 4 ■ Visualizing the results
The Inputs activity dashboard provides information related to inputs or processed and
•
ignored log files.
The Scheduler activity dashboard provides information about the search scheduler, with
•
charts showing the started and skipped searches, average execution times, average time taken to run scheduled searches, and so on.
Now that you have learned what Splunk provides as default dashboards, and the wealth of information that can be used, let’s explore how to create a custom dashboard. Throughout this chapter we have created different searches and visual charts that are related to MyGizmoStore.comsample data. We will handpick some of them to create a dashboard that provides snapshot information about MyGizmoStore.com. We will take the following reports:
Chart of purchases and views for each product
• 404 Errors • Purchases trend • Transaction duration •
Top purchases by product
•
To get started, click on the “Create dashboard . . . ” link under the “Dashboards & Views” menu, shown in Figure 4-33.
Figure 4-33. Create dashboard
This will bring up the dialog box “Create new dashboard.” We will enter MyGizmoStore as ID and
An empty dashboard has now been created. To make it editable and add previously created reports, click “On” for Edit, as shown in Figure 4-35.
Figure 4-35. Edit MyGizmoStore.com dashboard
Figure 4-36. Purchases and views panel
To start adding the reports into the dashboard, we will have to create a new panel that will hold the report. Click on “New panel;” that will bring up a dialog box, as shown in Figure 4-36. We will start creating a panel for the Purchases and Views chart. Enter “Purchases and Views” for the title and select the radio button for “Saved search.” The drop-down box will show the list of saved reports. Select “Purchases and view area chart.” Click on the Save button.
This will bring up the report in tabular format. In order to visualize it as a chart, you have to click on “Edit” and select “Edit Visualization,” as shown in Figure 4-37.
Chapter 4 ■ Visualizing the results
This will bring up the dialog box, where you can make changes depending on how you want to visualize the tabular data. Let’s select the “Area” chart as shown in Figure 4-38, which we saw worked well for this data. Click on the Save button.
You will now be able to see the tabular data for purchases and views as an area chart, as shown in Figure 4-39.
Figure 4-39. Purchases and Views
Now that you have learned in a step-by-step manner how to add a report to the dashboard, we will add the rest of the reports to the dashboard.
For 404 errors report:
Click on New Panel; name as 404 Errors and select “404 Errors Chart” report from the
•
drop-down box. Click Save.
Edit the panel, and select “Pie as Visualization.” Click Save.
•
For Purchases trend report:
Click on New Panel; name as Purchases Trend and select “Purchases Trend” report from the
•
drop-down box. Click Save. For Transaction duration report:
Click on New Panel; name as Transaction Duration and select “Transaction Duration Chart”
•
report from the drop-down box. Click Save.
Edit the panel, and select “Column as Visualization.” Click Save.
•
For Top Product purchases report:
Click on New Panel; name as Top Product Purchases and select “Top Product Purchases
•
Chart” report from the drop-down box. Click Save.
Edit the panel, select “Column as Visualization,” and select stacked as stack mode option.
•
Click Save.
Now that we have added all of the reports that we want to be part of the MyGizmoStore.com dashboard, we can arrange them properly to make the dashboard easy to understand. You can drag and drop each panel in the dashboard to rearrange them. Once the dashboard is rearranged, go to the “Dashboards & Views” menu and click on MyGizmoStore.com link to bring up the new dashboard, as shown in Figure 4-40.
Chapter 4 ■ Visualizing the results
You have already seen how Splunk Apps such as Google Maps or Globe help us to visualize the data. In Chapter 2, you learned about and installed Splunk Technology Add-ons for Windows and *Nix to collect the data in Windows or Unix environments. These Add-ons also have full-fledged Splunk Apps, which means that you can not only collect the data but also visualize it through prebuilt dashboards.
Let’s see how we can make use of Splunk’s *Nix App. You can download and install the *Nix App the same way as you have installed other Apps. If you have installed the *Nix Add-on at the same time, you will have to disable it before you can get the *Nix App to work. To disable a particular App, use Splunk Manager and click on “Apps.” Once you have installed *Nix App, it will be listed under the “App” menu, as shown in Figure 4-41.
Figure 4-40. MyGizmoStore.com dashboard
On Unix, you can enable the sources of data that you want to load into Splunk. To show the *Nix dashboard working we have enabled /var/logs as file and directory inputs and cpu, memory, top, and who in scripted inputs. *Nix provides a comprehensive set of dashboards that let you visualize the information across CPU, memory, disk, network, users, and different log files. You can build custom dashboards on top of it or create reports in different charting formats using the data loaded into Splunk by *Nix.
We will wrap up this chapter by looking at sample dashboards in *Nix. Figure 4-42 shows the CPU overview dashboard that you can access from the CPU menu, which provides visual information about CPU consumption by user, process, and so on. You can see that the App makes use of the timechart command to create reports that are part of the dashboard.
Figure 4-42. *Nix CPU overview dashboard
Figure 4-43 shows the memory dashboard that visually shows the memory usage by process, usage by top 10 users, and so on.
Chapter 4 ■ Visualizing the results
Figure 4-44 shows the logging dashboard, which visually shows throughput across different log files. Splunk App for Windows also provides a comprehensive set of dashboards similar to *Nix. You can install this in the same way as *Nix.
Summary
In this chapter, you have learned how to visualize data indexed into Splunk. You have seen the reporting capabilities of Splunk using report builder and SPL commands chart and timechart. You learned about different charting types and how to use them for different types of data structures, using the MyGizmoStore.com sample data. Finally, you learned how to build dashboards and explore Splunk Apps that help in visualization and provide prebuilt dashboards.