Download - Conf2014 NickFilipi Splunk WhatsNew
Copyright © 2014 Splunk Inc.
Nicholas Filippi Product Management, Splunk
Mathew ElDng Lead Engineer, Splunk
Splunk Dashboard Framework – What’s New
Disclaimer
2
During the course of this presentaDon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and
esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aSer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward-‐looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to
include any such feature or funcDonality in a future release.
About Us
! Nicholas Filippi – Sr. Product Manager ! Mathew ElDng – Engineering Lead, Splunk Core UI
3
Simple XML / HTML Dashboards
Modular Inputs
Splunk Web Splunk Licensing
Alerting Splunk 6.x Dashboard Examples
About You
! Anyone looking to build dashboards on the Splunk plaYorm ! Interested in…
– What you can do within Simple XML – What new in the Splunk dashboard framework – What tools you have available
4
What is XML? Pro Web Developer Advanced XML
Dev Hacker Simple XML
Agenda
! Splunk dashboard/web framework(s) ! What’s new in Splunk 6.1 ! What’s new in Splunk 6.2 ! Example walk-‐throughs
– Form inputs – Search management – VisualizaDons – Drilldown
5
Splunk Dashboards
6
Splunk Dashboards
7
A collecDon of searches, visualizaDons, and interacDvity designed to tell a story with data
Interactivity Layout
Visualizations
Splunk Web Framework
8
Visual Editor Simple XML Custom HTML w/ Splunk JS Stack Advanced XML
Descrip@on 100% GUI Driven; drag-‐and-‐drop panels. Basic visual ediDng
XML config driven; constrained, defined object model. Internally supported.
Full HTML support. Leverage library of js components.
XML config driven; unconstrained; internally/externally supported
When to Use
• PDF PrinDng (full) • Drag-‐and-‐Drop (full) • Form Inputs
• Dynamic Drilldown • Tokens • Layout (row grouping) • Add opDons / parameters • PDF PrinDng (full) • Drag-‐and-‐Drop (full) • Extensions
• Custom Layout • Custom Form Inputs • AddiDonal interacDvity • New VisualizaDons • Custom javascript
• Custom Layout • Custom Form Inputs • AddiDonal interacDvity • New VisualizaDons • Legacy support • Reusable modules
What’s New: Splunk 6.1
9
Splunk 6.1 – What’s New
10
! Form Editor UI – UI to add/edit/arrange form inputs – MulD-‐select & checkbox inputs – MulDple Dme range picker support
! InteracDvity – Contextual drilldown (in-‐page drilldown) – Universal dynamic drilldown
! Other – Panel inputs – Panel refresh controls
Build more interacDvity into your dashboards
Form Editor UI
11
! UI to add/edit inputs – Full configuraDon support – Set token namespace – Auto-‐run, searchWhenChanged
! Drag-‐and-‐drop – Arrange within global space – Drag to panel for inline
! MulD-‐select/checkbox – MulD-‐value inputs
Add form inputs and build interacDvity without having to edit xml configuraDon
MulD-‐Select & Checkbox Form Inputs
12
! Build complex query strings with mulD-‐value inputs – valuePrefix – valueSuffix – delimiter
! Permalink support – Pass mulD-‐value form selecDons
via URL – ?form.field=val1&form.field=val2
Enable mulD-‐value user input selecDon, and translate to search
MulD-‐Select & Checkbox Form Inputs
13
<searchString>index=_internal $sourcetype_token$</searchString>
index=_internal (sourcetype=“scheduler” OR sourcetype=“splunkd”)
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true"> <default>scheduler, splunkd</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>sourcetype="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <populatingSearch earliest="0" latest="" fieldForLabel="sourcetype" fieldForValue="sourcetype">index=_internal | stats count by sourcetype</populatingSearch> </input>
Result
Process
MulDple Time Range Pickers
14
! 100% UI Driven ! Add MulDple Time Pickers
– Set unique namespace
! Explicit binding of search to Dme – TRP, explicit inline,
advanced
Compare metrics across mulDple Dme windows
<earliestTime>$inPanel2.earliest$</earliestTime> <latestTime>$inPanel2.latest$</latestTime>
Contextual (in-‐page) Drilldown
15
! Click to see more details without having to leave the page ! Allow for other panels and searches to react to user clicks
– Build complex interacDon between panel elements – Leverage “token availability everywhere”
Improve user efficiency with interacDve views
Contextual (in-‐page) Drilldown
16
! Step 1 – Use “drilldown” click event to set token(s) rather than link to other views
<drilldown> <set token="showTable">true</set> <set token="selected_sourcetype">$row.sourcetype$</set> <set token=“sourcetype_query”>sourcetype=“$row.sourcetype$”</set> </drilldown>
<drilldown> <condition field="sourcetype"> <!-- for the column sourcetype, do the following --> <set token="showTable">true</set> <set token="selected_sourcetype">$click.value2$</set> <unset token="showChart"/> </condition> <condition field="*"> <!-- for all other columns, do the following --> <set token="showChart">true</set> <set token="count">$row.count$</set> <unset token="showTable"/> </condition> </drilldown>
Trigger same ac@on for all cell clicks
Enable different ac@ons for each field click
Contextual (in-‐page) Drilldown
17
! Step 2 – Show/hide dashboard elements based on token existence
<table depends="$showTable$,$selected_sourcetype$"> <option name=“foo”>bar</option> </table>
<table rejects="$showChart$"> <option name=“foo”>bar</option> </table>
Show table based on existence of one or more tokens
Hide table based on the existence of one or more tokens
Universal Dynamic Drilldown
18
! Dynamic drilldown now available for all dashboard elements – Not just table and chart – Single, table, chart, event, map
! Same syntax, same behavior – Click informaDon: $click.name$, $click.name2$, $click.value$ ,$click.value2$, $row.<field_name>$ – AddiDonal map-‐related: $click.lat.name$, $click.lon.name$, $click.lat.value$, $click.lon.value$,
$click.bounds.north$, $click.bounds.south$, $click.bounds.east$, $click.bounds.west$ – Other: $earliest$, $latest$, any page-‐level tokens
Build workflow and dashboard linking for any user click event
<single> <searchString>index=sfpd Resolution="NONE" | stats count</searchString> <earliestTime>0</earliestTime> <latestTime>now</latestTime> <option name="afterLabel">Unresolved Incidents</option> <drilldown> <link>incident_listing_search?form.s_resolution=NONE</link> </drilldown> </single>
Universal Dynamic Drilldown
19
Tips & Tricks: Create a test dashboard that uses the new contextual drilldown to set tokens, and display in an html element
<form> … <row> <panel> <chart> <searchString>index=_internal | timechart count by sourcetype</searchString> <earliestTime>$field1.earliest$</earliestTime> <latestTime>$field1.latest$</latestTime> <option name="charting.drilldown">all</option> <drilldown> <set token="table1.click.name">$click.name$</set> <set token="table1.click.name2">$click.name2$</set> <set token="table1.click.value">$click.value$</set> <set token="table1.click.value2">$click.value2$</set> <set token="table1.row.sourcetype">$row.sourcetype$</set> <set token="table1.earliest">$earliest$</set> <set token="table1.latest">$latest$</set> </drilldown> </chart> <html> <ul> <li><code>click.name: $table1.click.name$</code></li> <li><code>click.name2: $table1.click.name2$</code></li> <li><code>click.value: $table1.click.value|s$</code></li> <li><code>click.value2: $table1.click.value2|s$</code></li> <li><code>row.sourcetype = $table1.row.sourcetype$</code></li> <li><code>Timerange: $table1.earliest$ - $table1.latest$</code></li> </ul> </html> </panel> </row> </form>
Panel Inputs
20
! Use for comparison dashboards ! Use for panel-‐specific inputs ! Drag-‐and-‐drop form inputs into “panels”
! New <panel> node – Replaces row grouping – Default behavior:
ê For single, orient horizontally ê For all other, orient verDcal
Create context specific form inputs
Panel Refresh Controls
21
! Enable/disable manual refresh link – Default: enabled (except for single) – <opDon name="refresh.link.visible">false</
opDon>
! Set autoRefresh – Refresh element aSer X seconds – <opDon name="refresh.auto.interval">30</
opDon>
! Control “refresh Dme” rendering – Default: enabled – <opDon name="refresh.Dme.visible">false</
opDon>
Manual or automated refresh controls for panel elements
What’s New: Splunk 6.2
22
Splunk 6.2 – What’s New
23
! Key Features – Prebuilt Panels – MulD-‐Search Management – Input MulD-‐token Se{er – Dropdown/MulDselect
Custom Values support – Dashboard Display Controls
Prebuilt Panels
24
! Packaged within apps and add-‐ons ! Purpose-‐built for dashboard re-‐use
– No further configuraDon required by users
! Panel objects may include – MulDple searches – MulDple visualizaDons – Full drilldown (including in-‐page, contextual) – Form inputs
! New add workflow – Browse, discover, search, and preview – Browse reports, other dashboards, and
prebuilt panels
Build custom dashboards faster using prebuilt panels packaged within apps
Prebuilt Panels – Technical Details
25
! Panels are new knowledge objects in Splunk – Included in dashboard “by reference”
! Management/Permissions – UI: “Se|ngs > User interface > Prebuilt panels” – FS: $SPLUNK_HOME/etc/apps/<app_name>/default/
data/ui/panels – Syntax for default.meta is “[panels]”
! Building panels – Via dashboard editor (recommended)
ê Build panel > “convert to prebuilt panel” – Via manager page
ê Required for ediDng ! Convert to Inline
– For any customizaDon
Note: Panels do not support custom js/css extensions
MulD-‐Search Management
26
! Run mulDple background searches – Locate within global space, or within panels
! Post-‐process search binding ! Re-‐use search results to drive
visualizaDons, form inputs, and more ! Normalized search syntax
– Replaces current, confusing search syntax – <searchTemplate>, <searchString>,
<searchPostProcess>, <populaDngSearch>, <populaDngSavedSearch>
! Splunk 6.2 is fully backward compaDble
Improve search efficiency in your dashboards with mulDple background searches
MulD-‐Search Management
27
! ExisDng scenarios (using new search syntax): – Inline search that drives a single visualizaDon – Report-‐based search that drives a single visualizaDon – Inline search that populates available choices in a form input – Report-‐based search that populates available choices in a form input – Single global search to drive mulDple visualizaDons w/ and w/o post process
! Newly Enabled Scenarios: – MulDple background searches that can be referenced directly for
visualizaDons, or post processes – Binding form input to a global search both directly, and using post
process filtering – Nested post process – Performance opDmizaDons for token subsDtuDon-‐based searches
Form Input MulD-‐token Se{er
28
! Key use cases: – Se|ng tokens for labels – Simple Dme range pickers – Cascading form input controls – Complex token se|ng w/ search – HiddenSearchSwapper
! On <change> event – OpDonally use <condiDon> logic
ê For value or label – Then use standard
<set token=“”></set>
Integrate more logic into form inputs
Free-‐Form Text Support for Dropdown/MulD-‐Select
29
! Operates similar to text input w/ auto-‐complete assistance
! Key use cases: – Best for hostname-‐type inputs – Inputs where you may want to use *
wildcards
! Enable via XML – <allowCustomValues>true</
allowCustomValues> – Default is false
Integrate more logic into form inputs
Dashboard Display Controls
30
! Enhanced OEM and/or embed capabiliDes ! 2 IntegraDon points
– As h{p get param – As form/dashboard a{ribute
! New a{ributes/parameters available – hideSplunkBar -‐ Hides just the splunkbar – hideAppBar -‐ Hides just the appbar – hideFooter -‐ Hides just the footer – hideChrome -‐ Shortcut to hide splunkbar,
appbar, and footer – hideTitle -‐ Hides Dtle and descripDon – hideEdit -‐ Hides all the dashboard controls
Enable/disable dashboard chrome and controls
Walk-‐Through Demos
31
Summary
32
Wrap-‐Up
33
! Leverage the newest dashboard funcDonality – Form inputs for greater dashboard authoring efficiency
ê MulD-‐select inputs, advanced token logic, Dme picker binding – Drilldown & interacDvity
ê Dynamic drilldown to link pages, contextual drilldown for in-‐page interacDvity – Prebuilt panels
ê Enable content sharing, leverage prebuilt content within apps
! Use “Splunk 6.x Dashboard Examples” App
Come Visit – “Ask the Dashboard Expert”
34
! For assistance with troublesome dashboards ! For migraDon Dps ! To brag about something cool you built ! To ask quesDons ! Or, just to say hi!
@CommunityLounge
THANK YOU