Splunk comes with lots of built-in visualizations that you can use to present your data, and even makes it easy to customise these visualizations so that you can make them even more meaningful. However, sometimes you need something a little bit extra.

Splunkbase is the app store for Splunk, where members of the Splunk community can submit apps and add-ons to provide additional functionality to Splunk. You can then install these into your own Splunk environment and make use of these new features. A quick search on Splunkbase for visualizations brings up over 100 visualization apps, each of which can provide a different way for you to present your data.

For the purposes of this demonstration, I’m going to install Network Diagram Viz, an app which promises to allow one to create colourful visualizations of a network hierarchy. There are two ways to install apps in Splunk.

Installing apps in Splunk

Method one: Download and install

  1. On the app page, you will see an option to login and download, or just to download, the app. If you need to login, remember that this is the login that you use to access Splunk services online, not the username and password for your own Splunk environment. Accept the conditions, and download the file as usual.
  2. In your Splunk environment, click on the Apps dropdown next to the Splunk icon in the top left corner of the screen, and select ‘Manage Apps’ at the bottom of the list.
  3. Select ‘Install app from file’, and browse to the file you just downloaded. Click on upload. The app will now be available in the list of apps.

Method two: Install within Splunk

  1. In your Splunk environment, click on the Apps dropdown next to the Splunk icon in the top left corner of the screen, and select ‘Find More Apps’ at the bottom of the list. This will bring up a Splunkbase browser inside Splunk.
  2. Type in the name of the app you are looking for. It should appear in the main panel, with a green ‘Install’ button. Click on install, and log in to your Splunk account. This is the login that you use to access Splunk services online, not the username and password for your own Splunk environment. Accept the terms and conditions, and the app will be downloaded.

Using the new app

Now that my app is installed, I can see it in the list of apps available when I click on the apps dropdown. Navigating to a new app will usually reveal some instructions or documentation for how to use it. In the case of this Network Diagram Viz app, there’s plenty of information explaining how this app works, and tabs providing examples to play around with and modify.

To add one of these visualizations into your own dashboards, follow any instructions given in the app. For this Network Diagram app, we can add a diagram into a dashboard by going into edit mode on the dashboard, selecting ‘Add Panel’, and choosing the Network Diagram Viz from the dropdown list on the right-hand side. Insert the search you want this visualization to be based off, and select ‘Add to Dashboard’.

From looking at the app itself, we learn that the search should result in a table with a ‘from’ field containing the name of the source entity, and many other optional fields. My search looks like this:

index="ta_v12_dev" source="mulesoft:discovery" 
| eval from=orgID 
| eval to=parentOrgID 
| eval nodeText=orgName 
| eval level=case(isnull(parentOrgID),"org",true(),"sub-org") 
| eval type=case(level="org","globe",level="sub-org","sitemap") 
| eval color=case(level="org","red",level="sub-org","blue") 
| fields from, to, nodeText, type, color
| search to=* OR from=* 
| table from, to, nodeText, type, color

This search looks over some data which contains orgIDs and parentOrgIDs. My goal is to create a diagram which shows the relationships between the organisations in my data. The ‘from’ and ‘to’ fields specify this relationship. The nodeText is an optional field, which will display the organisation’s name in my diagram. The type and colour fields are for display purposes, meaning that I can specify the icons and colours used in my diagram. It results in this table:

A table containing the fields ‘from’, ‘to’, ‘nodeText’, ‘type’, and ‘color’.

Once the panel has been added to your dashboard, you may wish to refine some settings. The usual ‘format visualization’ option will be visible, but the options will be different. In my case, I wanted to disable the Physics, Draggable nodes and Zoom options, as my visualisation is quite small and simple. The main change I wanted here to make to enable a Hierarchal view, and to change the display direction. The end result is a neat little tree diagram, like so:

A tree diagram, showing a parent organisation and two layers of children

For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required
Posted by:Becky Nielsen

Becky is a certified Splunk Admin, who has been working for iDelta since graduating from CodeClan's Professional Software Development course in 2019. Previously an archivist at several institutions around the UK, she holds an MSc in Information Management and Preservation from the University of Glasgow.