Splunk Dashboard Framework What s New Nicholas Filippi Product Management, Splunk

Copyright 2014 Splunk Inc. Splunk Dashboard Framework What s New Nicholas Filippi Product Management, Splunk Mathew ElDng Lead Engineer, Splunk

Disclaimer During the course of this presentadon, we may make forward- looking statements regarding future events or the expected performance of the company. We caudon you that such statements reflect our current expectadons and esdmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this presentadon are being made as of the Dme and date of its live presentadon. If reviewed aser its live presentadon, this presentadon may not contain current or accurate informadon. We do not assume any obligadon to update any forward- looking statements we may make. In addidon, any informadon about our roadmap outlines our general product direcdon and is subject to change at any Dme without nodce. It is for informadonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligadon either to develop the features or funcdonality described or to include any such feature or funcdonality in a future release. 2

About Us! Nicholas Filippi Sr. Product Manager! Mathew ElDng Engineering Lead, Splunk Core UI Simple XML / HTML Dashboards Splunk Web Splunk Licensing Modular Inputs Alerting Splunk 6.x Dashboard Examples 3

About You! Anyone looking to build dashboards on the Splunk playorm! Interested in What you can do within Simple XML What new in the Splunk dashboard framework What tools you have available What is XML? Advanced XML Pro Web Developer Simple XML Dev Hacker 4

Agenda! Splunk dashboard/web framework(s)! What s new in Splunk 6.1! What s new in Splunk 6.2! Example walk- throughs Form inputs Search management VisualizaDons Drilldown 5

Splunk Dashboards 6

Splunk Dashboards A collecdon of searches, visualizadons, and interacdvity designed to tell a story with data Interactivity Layout Visualizations 7

Splunk Web Framework Visual Editor Simple XML Custom HTML w/ Splunk JS Stack Advanced XML Descrip@on 100% GUI Driven; drag- and- drop panels. Basic visual edidng XML config driven; constrained, defined object model. Internally supported. Full HTML support. Leverage library of js components. XML config driven; unconstrained; internally/ externally supported When to Use PDF PrinDng (full) Drag- and- Drop (full) Form Inputs Dynamic Drilldown Tokens Layout (row grouping) Add opdons / parameters PDF PrinDng (full) Drag- and- Drop (full) Extensions Custom Layout Custom Form Inputs AddiDonal interacdvity New VisualizaDons Custom javascript Custom Layout Custom Form Inputs AddiDonal interacdvity New VisualizaDons Legacy support Reusable modules 8

What s New: Splunk 6.1 9

Splunk 6.1 What s New! Form Editor UI UI to add/edit/arrange form inputs MulD- select & checkbox inputs MulDple Dme range picker support! InteracDvity Contextual drilldown (in- page drilldown) Universal dynamic drilldown! Other Panel inputs Panel refresh controls Build more interacdvity into your dashboards 10

Form Editor UI Add form inputs and build interacdvity without having to edit xml configuradon! UI to add/edit inputs Full configuradon support Set token namespace Auto- run, searchwhenchanged! Drag- and- drop Arrange within global space Drag to panel for inline! MulD- select/checkbox MulD- value inputs 11

MulD- Select & Checkbox Form Inputs Enable muld- value user input selecdon, and translate to search! Build complex query strings with muld- value inputs valueprefix valuesuffix delimiter! Permalink support Pass muld- value form selecdons via URL?form.field=val1&form.field=val2 12

MulD- Select & Checkbox Form Inputs <searchstring>index=_internal $sourcetype_token$</searchstring> Result index=_internal (sourcetype= scheduler OR sourcetype= splunkd ) Process <input type="multiselect" token="sourcetype_token" searchwhenchanged="true"> <default>scheduler, splunkd</default> <prefix>(</prefix> <suffix>)</suffix> <valueprefix>sourcetype="</valueprefix> <valuesuffix>"</valuesuffix> <delimiter> OR </delimiter> <populatingsearch earliest="0" latest="" fieldforlabel="sourcetype" fieldforvalue="sourcetype">index=_internal stats count by sourcetype</populatingsearch> </input> 13

MulDple Time Range Pickers Compare metrics across muldple Dme windows! 100% UI Driven! Add MulDple Time Pickers Set unique namespace! Explicit binding of search to Dme TRP, explicit inline, advanced <earliesttime>$inpanel2.earliest$</earliesttime> <latesttime>$inpanel2.latest$</latesttime> 14

Contextual (in- page) Drilldown Improve user efficiency with interacdve views! Click to see more details without having to leave the page! Allow for other panels and searches to react to user clicks Build complex interacdon between panel elements Leverage token availability everywhere 15

Contextual (in- page) Drilldown! Step 1 Use drilldown click event to set token(s) rather than link to other views Trigger same ac@on for all cell clicks <drilldown> <set token="showtable">true</set> <set token="selected_sourcetype">$row.sourcetype$</set> <set token= sourcetype_query >sourcetype= $row.sourcetype$ </set> </drilldown> Enable different ac@ons for each field click <drilldown> <condition field="sourcetype"> <!-- for the column sourcetype, do the following --> <set token="showtable">true</set> <set token="selected_sourcetype">$click.value2$</set> <unset token="showchart"/> </condition> <condition field="*"> <!-- for all other columns, do the following --> <set token="showchart">true</set> <set token="count">$row.count$</set> <unset token="showtable"/> </condition> </drilldown> 16

Contextual (in- page) Drilldown! Step 2 Show/hide dashboard elements based on token existence Show table based on existence of one or more tokens <table depends="$showtable$,$selected_sourcetype$"> <option name= foo >bar</option> </table> Hide table based on the existence of one or more tokens <table rejects="$showchart$"> <option name= foo >bar</option> </table> 17

Universal Dynamic Drilldown Build workflow and dashboard linking for any user click event! Dynamic drilldown now available for all dashboard elements Not just table and chart Single, table, chart, event, map! Same syntax, same behavior Click informadon: $click.name$, $click.name2$, $click.value$,$click.value2$, $row.<field_name>$ AddiDonal map- related: $click.lat.name$, $click.lon.name$, $click.lat.value$, $click.lon.value$, $click.bounds.north$, $click.bounds.south$, $click.bounds.east$, $click.bounds.west$ Other: $earliest$, $latest$, any page- level tokens <single> <searchstring>index=sfpd Resolution="NONE" stats count</searchstring> <earliesttime>0</earliesttime> <latesttime>now</latesttime> <option name="afterlabel">unresolved Incidents</option> <drilldown> <link>incident_listing_search?form.s_resolution=none</link> </drilldown> </single> 18

Universal Dynamic Drilldown Tips & Tricks: Create a test dashboard that uses the new contextual drilldown to set tokens, and display in an html element <form> <row> <panel> <chart> <searchstring>index=_internal timechart count by sourcetype</searchstring> <earliesttime>$field1.earliest$</earliesttime> <latesttime>$field1.latest$</latesttime> <option name="charting.drilldown">all</option> <drilldown> <set token="table1.click.name">$click.name$</set> <set token="table1.click.name2">$click.name2$</set> <set token="table1.click.value">$click.value$</set> <set token="table1.click.value2">$click.value2$</set> <set token="table1.row.sourcetype">$row.sourcetype$</set> <set token="table1.earliest">$earliest$</set> <set token="table1.latest">$latest$</set> </drilldown> </chart> <html> <ul> <li><code>click.name: $table1.click.name$</code></li> <li><code>click.name2: $table1.click.name2$</code></li> <li><code>click.value: $table1.click.value s$</code></li> <li><code>click.value2: $table1.click.value2 s$</code></li> <li><code>row.sourcetype = $table1.row.sourcetype$</code></li> <li><code>timerange: $table1.earliest$ - $table1.latest$</code></li> </ul> </html> </panel> </row> </form> 19

! Use for comparison dashboards! Use for panel- specific inputs! Drag- and- drop form inputs into panels! New <panel> node Replaces row grouping Default behavior: ê For single, orient horizontally ê For all other, orient verdcal Panel Inputs Create context specific form inputs 20

Panel Refresh Controls Manual or automated refresh controls for panel elements! Enable/disable manual refresh link Default: enabled (except for single) <opdon name="refresh.link.visible">false</ opdon>! Set autorefresh Refresh element aser X seconds <opdon name="refresh.auto.interval">30</ opdon>! Control refresh Dme rendering Default: enabled <opdon name="refresh.dme.visible">false</ opdon> 21

What s New: Splunk 6.2 22

Splunk 6.2 What s New! Key Features Prebuilt Panels MulD- Search Management Input MulD- token Se{er Dropdown/MulDselect Custom Values support Dashboard Display Controls 23

Prebuilt Panels Build custom dashboards faster using prebuilt panels packaged within apps! Packaged within apps and add- ons! Purpose- built for dashboard re- use No further configuradon required by users! Panel objects may include MulDple searches MulDple visualizadons Full drilldown (including in- page, contextual) Form inputs! New add workflow Browse, discover, search, and preview Browse reports, other dashboards, and prebuilt panels 24

Prebuilt Panels Technical Details! Panels are new knowledge objects in Splunk Included in dashboard by reference! Management/Permissions UI: Se ngs > User interface > Prebuilt panels FS: $SPLUNK_HOME/etc/apps/<app_name>/default/ data/ui/panels Syntax for default.meta is [panels]! Building panels Via dashboard editor (recommended) ê Build panel > convert to prebuilt panel Via manager page ê Required for edidng! Convert to Inline For any customizadon Note: Panels do not support custom js/css extensions 25

MulD- Search Management Improve search efficiency in your dashboards with muldple background searches! Run muldple background searches Locate within global space, or within panels! Post- process search binding! Re- use search results to drive visualizadons, form inputs, and more! Normalized search syntax Replaces current, confusing search syntax <searchtemplate>, <searchstring>, <searchpostprocess>, <populadngsearch>, <populadngsavedsearch>! Splunk 6.2 is fully backward compadble 26

MulD- Search Management! ExisDng scenarios (using new search syntax): Inline search that drives a single visualizadon Report- based search that drives a single visualizadon Inline search that populates available choices in a form input Report- based search that populates available choices in a form input Single global search to drive muldple visualizadons w/ and w/o post process! Newly Enabled Scenarios: MulDple background searches that can be referenced directly for visualizadons, or post processes Binding form input to a global search both directly, and using post process filtering Nested post process Performance opdmizadons for token subsdtudon- based searches 27

Form Input MulD- token Se{er! Key use cases: Se ng tokens for labels Simple Dme range pickers Cascading form input controls Complex token se ng w/ search HiddenSearchSwapper! On <change> event OpDonally use <condidon> logic ê For value or label Then use standard <set token= ></set> Integrate more logic into form inputs 28

Free- Form Text Support for Dropdown/MulD- Select! Operates similar to text input w/ auto- complete assistance! Key use cases: Best for hostname- type inputs Inputs where you may want to use * wildcards! Enable via XML <allowcustomvalues>true</ allowcustomvalues> Default is false Integrate more logic into form inputs 29

Dashboard Display Controls Enable/disable dashboard chrome and controls! Enhanced OEM and/or embed capabilides! 2 IntegraDon points As h{p get param As form/dashboard a{ribute! New a{ributes/parameters available hidesplunkbar - Hides just the splunkbar hideappbar - Hides just the appbar hidefooter - Hides just the footer hidechrome - Shortcut to hide splunkbar, appbar, and footer hidetitle - Hides Dtle and descripdon hideedit - Hides all the dashboard controls 30

Walk- Through Demos 31

Summary 32

Wrap- Up! Leverage the newest dashboard funcdonality Form inputs for greater dashboard authoring efficiency ê MulD- select inputs, advanced token logic, Dme picker binding Drilldown & interacdvity ê Dynamic drilldown to link pages, contextual drilldown for in- page interacdvity Prebuilt panels ê Enable content sharing, leverage prebuilt content within apps! Use Splunk 6.x Dashboard Examples App 33

Come Visit Ask the Dashboard Expert @CommunityLounge! For assistance with troublesome dashboards! For migradon Dps! To brag about something cool you built! To ask quesdons! Or, just to say hi! 34

THANK YOU