An Introduction to Splunk Dashboard Tokens

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

ready set secure hello and welcome to an introduction to splunk dashboard tokens i'm chuck brown service delivery manager for our data analytics group here at set solutions if you'd like to learn more about set solutions and how we build long-term partnerships based on successful outcomes please visit us at setsolutions.com and with that let's jump right in if you're not familiar with splunk dashboard tokens you can think of them as programming variables some token values are predefined but you can create custom tokens that are defined by dashboard form inputs you can also set values for custom tokens within the simple xml code of your splunk dashboards in this video i'll demonstrate how to create a troubleshooting debug panel in your dashboard to view the values of your tokens and then we'll use our tokens to build an interactive dashboard that will update a splunk search to change a chart update a panel title change a chart visualization and even change the visibility of a panel you don't have to worry about copying down any of the links used in the video we will make sure they are posted in the notes section for this walkthrough i'll use a free standalone splunk installation version 8.1.2 and a free splunk search tutorial tip if you'd like to follow along at build this dashboard on your own system you can download both at no charge directly from splunk using this url here is the area where you can download the tutorial data files the tutorialdata.zip is the only one we'll need and if you don't already have a splunk instance you can follow these links for free splunk cloud trial or download the installation files for your preferred operating system loading of the data set is described in part two uploading the tutorial data upload the tutorial data let's switch over and load it into our splunk instance we will select add data upload i will drag the tutorialdata.zip file over to our system next on the input settings page we will override the default values as described in the link we will select segment and path for host and segment number one review our data submit and start searching see data in our system now we can begin building our dashboards before we go any further let's make a note of the start day and end day for our data set in my case it is february 23rd the start and march 3rd for the end let's go ahead and close our link to the splunk tutorial data and go to the search and reporting app in our splunk instance and let's open one new duplicate tab of our splunk instance we'll use this to test some of our searches for our charts and inputs now on to dashboarding and our token debug panel click dashboards and create a new dashboard we'll name our dashboard token examples we'll add a chart to our dashboard add panel new column chart we'll call this chart count of all http error response codes for host ww1 for the time range we'll use the time picker in a typical use case you would probably want this to be a preset relative time range like last 24 hours or last 7 days in this video i'll use the date range of my tutorial data which is february 23rd to march 3rd apply our search string will be index equals main source type equals access combined w cookie host equals ww1 status greater than 399. we will time chart this count of status codes by the host add this to our dashboard close the add panel and save we now have a chart that shows all http error codes that occurred on host www one within the specified time range that's a great start but maybe we'd like to know individual error code counts instead of seeing the count of all we could build a chart on our dashboard for each error code instead let's use a token to make our existing dashboard dynamic and we can pick which error code we want to display in our chart let's create a dashboard input that will automatically populate with the http error codes and we'll create a custom panel to view the tokens we generate from that input edit add input and we'll select drop down for this input we edit the input properties by clicking on the pencil icon for the input the input label will be what we see in our dashboard we'll call that http error code let's have the chart automatically update when we select an error code so check the search on change option and then for the sake of clarity in this example will be very explicit in our naming of our tokens so we'll name this token status token we will select a default option however we can't right pick one right now since we've not defined any yet here we define any prefix or suffix we want for our token these will surround the option value as it's passed to our token that probably doesn't make much sense right now but i'll explain it further after we create our debug panel in this section of our input we can define static and dynamic options to appear in the drop down the option name is also known as the option label and it's what your dashboard user will see when they select something from the input the option value is typically passed to the input token getting any defined prefixes or suffixes along the way we'll create one static option of all value of asterisks our dynamic input options will be pulled right from the data itself we'll need a search query that retrieves a list of all status codes greater than 399. let's take a moment jump over to our other tab and test our search index equals main source type equals access combine w cookie status greater than 399 we will deduplicate the status codes we will then table the status codes and for visibility and make it look pretty we'll sort them we'll run this overall time right now here's the list of our status codes so we'll take our search go back to our dashboard paste it into the search string in a typical use case you might run your dynamic option search over the same time period as your chart because this is just an example and we want to keep it simple we'll go ahead and select all time to ensure that we get the values we need out of our data set the field that will be used for the label will be the status field and in this case the field we'll use for the option values will also be the status field note that these can be different if your data contains some other field that you'd like to use for either the option label or the option value lastly let's go back up to our token options and select the default to be all apply save refresh it's a good idea to always refresh your dashboard after you've modified it i've run into dashboard issues that would not make any sense at all and would just disappear after a page refresh we now have an input for our dashboard that dynamically populates with the http status error codes found in our data set before we integrate this input into our chart let's create a debug panel to see what the tokens contain so we'll edit the xml source and here are the two sections of our dashboard our input and here is the panel containing our chart looking at the input section we see the token is status token between the input and the chart panel we'll create a new panel row panel title token debug html h2 status token equals dollar sign status token dollar sign when you want to retrieve the value of a token you reference it with a dollar character at the start and at the end of the token let's save refresh and look at our debug panel our status token value updates as we switch between our input options now let's add some additional code to our dashboard so we can view our input option label and our input option value edit source again here is our current input we'll add some code at the bottom of this input change set token equals dollar sign status option label token we'll make that the value of the label and we'll set another token status option value token we'll make that the value of the value now that we've set these new tokens let's add them to our debug panel to view them so we're going to show the value of the status option label token and the status option value token let's save refresh and take a closer look at our debug panel now we can see not only that what the token contains but we can see what the option label is and the option value that we're selecting in this case the option the option value is an asterisk but the label that the user sees is the word all other cases these values may be the same let's integrate our status input into our chart again we'll go to edit source the status token contains what we're wanting to search for in the status field we'll update our search and replace a status greater than 399 with status equals dollar sign status token dollar sign save and refresh our input is now updating our chart but our chart title no longer accurately represents the content let's use our status option label token to fix that edit source and in the title of our panel the count of all http error codes for host ww1 will change the word all to the token we defined of status option label token save and refresh now when we select an option from our drop down the chart and the panel title update automatically maybe we want to compare the error code counts on different hosts to do that let's add an input allowing us to select multiple hosts for comparison edit add input and we'll use a checkbox edit our new input the label will be hostname we'll search on change and again to be explicit we'll call this the host token we'll come back to the default after we've defined some options in a multi-select input the token options look a bit different than a drop down in addition to a token prefix and suffix we have options to define a token value prefix token value suffix and a delimiter between the values to help guide us through this complexity splunk has added a nifty preview feature in this exercise our token prefix will be an open paren the token suffix will be in in paren the token value prefix will be host equals quote the token value suffix will be a single quote will be a quote and our delimiter will be space the word or in caps and another space let's build a preview of what our token will look like and we'll use the token in our search string to modify the search to retrieve the host we want we will add a static option of all with an asterisk and our search string for our dynamic options will be index equals main source type equals access combined w cookie status greater than 3.99 d host value table host value and sort host value we'll run our search over all time for this example our field for our label will be the host value and the field for the value also be host apply save refresh we now have an input that dynamically populates with host names found in the data i did forget to add a default value so let's go back and modify that edit our input and our initial value our default value will be all save refresh there we go now let's add the code necessary to set the option label and option value as well as these new tokens to our debug panel edit the source here is our host token input right before the end of the input we will define our new tokens so here we're setting our new tokens of host option label token and host option value token because it's a multi-select input we need to specify a delimiter we'll give the option label token the value of the label the option value token the value of the value moving down to our debug panel we'll add the code necessary to view the values of these tokens host token equals dollar sign host token dollar sign so here we've defined the values of host option label and host option value in our debug panel we will display the content of the host option label and the host option value tokens save and refresh in our token debug panel we can see the values for our host token the host option label and the host option value all is currently selected host token is paren host equals quote asterisk quote in paren while the option label is all and the option value is an asterisk if we select other hosts we can see how this changes in our exercise we'll use the host token to modify the search that drives our panel and we'll use the option label in the panel title so let's update our panel chart and the title of our panel to use our new host name tokens edit source the host option label token will be used in our title so we'll do the error response codes for host remove www one and insert host option label token and in the search driving the chart we'll remove host equals www one and replace that with host token save and refresh now our panel title updates automatically as well as our chart when we select different options for our dashboard well our dashboard is coming along quite nicely but let's say some of our users prefer a line chart or an area chart instead of a column chart although you could create a separate panel for each we'll add an input allowing users to change the chart type to the one they prefer edit add input this time we'll use a radio button the label will be chart type we will not select search on change for this input the dashboard visualization can be modified without having to rerun our search we'll name our token chart token we'll come back to default in a moment no prefix or suffix will be needed and we'll define three static options first will be area chart the value of area line chart the value of line and column chart or the value of column apply our changes before we save our dashboard let's add our token to our debug panel edit the source down to our debug panel create another horizontal row the value of our token save and refresh i have forgotten to set the default value let's go do that now apply save refresh again we can select the different chart types and see the token value change let's integrate it into our chart edit source move down to our chart and modify the charting dot chart value instead of the word column we will use our token chart token save and refresh now our visualization changes when we select a different chart type let's assume you're happy with how the dashboard is coming along and you really like your debug panel but you're sure your users will not want to see it all the time we can add an input that hides the debug panel by default and allows you to view the contents when you'd like we'll edit add an input and add a checkbox edit the checkbox we will remove the field label do not search on change as this input will only be used to update our dashboard visualization no need to rerun the search our token will be debug token we will leave the default purposefully blank on this input and we'll add one static option of show debug panel with a value of one apply this and add the contents to our debug panel apply edit source save and refresh we do not select a defaults or our token has no value when we do select our option the token value is one and finally let's modify our dashboard and use this token to show our debug panel edit source in the debug panel element we'll update it to include a depends attribute depends equals quote dollar sign debug token dollar sign so what we've done is configured the panel to only display when debug token has a value by default debug token will not have a value and the debug panel will not display save and refresh when our show debug panel input option is unchecked our token debug panel will disappear we can verify that the show debug panel will not appear by default we can go to dashboards select our token examples dashboard and all values will be default all http error codes all host names column chart with no debug panel shown i hope this introduction to splunk dashboard tokens has been worthwhile and has given you a few ideas of how to use inputs and tokens in your own interactive splunk dashboards if you did find this to be useful don't forget to click that like button feel free to leave a comment with your feedback or suggestions for future video content and finally please reach out to us if we can be of any help thank you

Info

Channel: Set Solutions

Views: 1,501

Rating: undefined out of 5

Keywords:

Id: ROkcztsE2W8

Channel Id: undefined

Length: 33min 47sec (2027 seconds)

Published: Tue Apr 27 2021