Dashboards & Visualizations

Customised Data Overlays

Hazel
Communicator

Hello,

I've created a report that counts for each file name how many servers it comes up on. The purpose of report is reconciliation as each file should come up 2 times (current server and DR server). When displaying this report, it would be really nice to get a good overlay, so for example is its not 2, it flags up in red text or red background or something and if it is ok, its green.

I noticed splunk has some overlays for example giving things red & blue borders for high/low.

Does anyone know how I would go about customising my results/if it is possible in any way? If i can write my own overlay with this criteria?

Thanks! Hazel

sideview
SplunkTrust
SplunkTrust

Here's some code to point you in the right direction.

You're probably familiar with application.css, the file that you put at

/etc/apps/<appname/appserver/static/application.css

and that apps use to create a custom look and feel. Well there's also application.js that you can create. It's definitely not widely used even within Splunk.

However if you put this into application.css:

tr.myCustomClass td {
    background-color:#eee;
}

and this into application.js:

   if ((Splunk.util.getCurrentView() == "flashtimeline") && Splunk.Module.SimpleResultsTable) {
    Splunk.Module.SimpleResultsTable = $.klass(Splunk.Module.SimpleResultsTable, {
        onResultsRendered: function($super) {
            var retVal = $super();
            this.myCustomHeatMapDecorator();
            return retVal;
        },
        myCustomHeatMapDecorator: function() {
            $("tr:has(td)", this.container).each(function() {
                var tr = $(this);
                if (parseInt(tr.find("td:nth-child(3)").text()) != 2) {
                    tr.addClass("myCustomClass");
                }
            });
        },
    });
}

What the above says, in english, is that Within the app that I put these two files into, and within the 'flashtimeline' view only, make all the rows within SimpleResultsTable modules look at their third tablecells, and if the value within is not '2', then add 'myCustomClass' to the tr element.

mileage may vary. Note that the counting of the tablecells will be affected by the little cells when you turn on 'displayRowNumbers' etc..

kenchisho
Path Finder

I just tried using this and works pretty good. Is it possible to apply the css to a certain field insted of the row?

0 Karma

Lowell
Super Champion

This is not an exact answer to your question. I would like an answer to it as well. I can share a workaround I've used before that may be helpful for you. This will not give you nice colors, but you can quickly add a field that has a "ok" or "FAILED" message which can be still eye catching.

If sounds like you are trying to line up events based on a common field. In which case you probably want to use transactions. Here are some ideas:

  1. Simply find only the events where there aren't two matching files:

    | transaction fields=file_name | where eventcount!=2

  2. Another slightly more creative approach I've used when I want to see both "good" and "bad" events at the same time is to create an additional search-populated message field. With this approach your could look for multiple issue at once. Say beyond your must have 2 files requirement, you also wanted to check for for the existence of the term "VeryBadError=True" (which could show up even if you have your 2 files). So we could do that with something like this:

    | transaction fields=file_name | eval msg=if(eventcount>2,"TOO MANY", if(eventcount<2, "TO FEW","ok")) | eval msg=if(searchmatch("VeryBadError=True"), "BAD ERROR " . msg, msg)

Just a thought...

Lowell
Super Champion

Yeah, "" only shows one value.

0 Karma

Hazel
Communicator

Thanks I found it, but didn't realise that with the 'Simple' module, it only takes the first row of the results..so not all that helpful for me

0 Karma

Lowell
Super Champion

I think the docs have examples. Look in the developer guide for setting up simple XML dashboards.

0 Karma

Hazel
Communicator

Ok thanks. The case you mention about to do with rangemap & singleValue module.. do you have any examples of how to use that? Perhaps I could use that if I am just using a number range to define OK/NOT OK anyway?

0 Karma

Lowell
Super Champion

I have not. I talked with Emma a while back on a number of different UI topics in Splunk 4.0. This topic may have come up, but I don't recall for sure. So I would definitely suggest that you submit your own ER to splunk on this topic. (I don't think duplicate ERs hurt either, if nothing else to simply see that multiple people are asking for it.)

0 Karma

Hazel
Communicator

Yes, I agree. Have you raised this as a enhancement request to Splunk yet?

0 Karma

Lowell
Super Champion

Yes, more color would be nice. What I would like to see is a feature where you can use a field in your output to indicate a CSS class assigned to a table row. Similarly to how you can use the rangemap command to create a range field that gets used to specify a class (and therefore a color) with the SingleValue module (or <single>, in the simple XML). I think that would be a nice feature. You could probably implement something like this yourself with some extra javascript and CSS work, but I'm not very good with that stuff, and would rather wait to add a native feature anyways.

0 Karma

Hazel
Communicator

Hi,thankyou for the comments. I didn't mention above, but this is the workaround I am using. I search for a sourcetype and for each source/file name it should come up from two hosts as each file should be configured on two servers, so the report is to check this. I use multi valued fields to combine them, so you get a table with the file name then a list of the hosts it found it on. I check how many host values there are and if it is two, i put a field with text OK and if not, i put the text NOT OK. I was just hoping to advance my report and make it more colourful, so they stand out more.

0 Karma

Yancy
Path Finder

This should be possible by creating some Eventtypes and then calling some custom CSS or Javascript that is tied to those Eventtypes.

See: http://www.splunk.com/base/Documentation/latest/Developer/EventRendering

0 Karma

Lowell
Super Champion

No. That's different. The high-low and heatmap overlays work on tables. The custom event renders work for event displaying (like using <event> in Simple XML, or the EventsViewer module in the advanced XML). Also, I'm not 100% sure what is meant by "each file should come up 2 times", but it sounds like there an expectation of matching 2 different events. In which case, you can't make an eventtype for that anyways.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...