Dashboarding wowzas with Tom West - Boston Splunk User Group

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

uh we have tom west with us back again for the third time since uh if talking to our user group uh first time was the spl rehab dashboard back when we're still meeting in person and tom was remote and that worked out rather well and then more recently the virtualrace2.conf20 was part of that team which was a great globally distributed team so when somebody had an issue somebody else could jump in i love that yeah absolutely and now we're going to learn about dashboard tricks so take it away tom hey everyone thank you very much for giving up your lunch time to er to like attend my talk today so uh and thank you very much again for having me i um as eugene went and said this is the third time that i've been been with you and i really enjoy it every single time now you may have if you were part of the uh user group last time uh where i gave the talk for for the virtualracer.com you may have noticed some of the dashboards that we put together and certainly that they didn't look anything like a normal dashboard um even though they were just simple xml so we've put this presentation together to kind of give you an idea of how we did some of those things and how you could do them too and not and not just um with the virtualracers.com from stuff that we did there but also just general things that i've done along the way so i've been involved in some massive projects to dashboard a lot of data and aiming dashboards aimed at senior leaders for for businesses um all the way through to publicly facing dashboards for the general public uh to my own weird and wacky dashboards that have um either some use or no use at all but they look fun so um i thought i'd kind of take a lot of those techniques that i've kind of learned and put together and put them to put them towards a a presentation now uh you may or may not be pleased to know i am not gonna do any powerpoint presentations whatsoever um so just first of all check in that you can see my screen and excellent right okay yeah so a little bit of background before we go before we get started a lot of the data i'm going to show today is through my smart home uh i use uh and i've started recently to use something called home assistant and it sends out a lot of data which makes dashboarding demonstrating tricks and things quite easy and it also but it helps to give you a bit of context of what i'm showing because that will make it easy for you to understand some of the things that are going to be on screen as well rather than it just be some line on the chart hopefully you'll get an idea as to exactly what we're trying to sell and so if i open up the presentation and we've got a few different topics that i want to go over some of these have got kind of more than one thing if you do have any questions at any point feel free to just kind of jump in and ask the question i'm not someone that's going to want to just wait until the end and and answer all the questions there and feel free to to ask away and whenever you think of anything you do want to ask so we're going to start off pretty basic if you are if you haven't really done much dashboarding in the past um then we're going to cover tokens what they are why you want to use them and just some examples uh some quite quick tips to to make dashboards look a lot better just using them then we're going into something called hidden text inputs moving over to a little bit of css and showing exactly why that's quite useful um segwaying off track a little bit onto uh reports and embedded searches um and a neat trick with there and usually that's tied with when someone comes up and says can you make this dashboard publicly available the answer is no but we can do this instead and then uh wrapping this all up um is a little bit of version control and what you can do with you within your own splunk environment implement some sort of version control and this doesn't have to be for dashboards this could be anything which is quite cool so if we start off with tokens first and a lot of you may be familiar with this kind of layout right here where you have an input and then you've got the red exclamation mark and searches awaiting input which um can be it's a very quick way to put a dashboard together with an input but usually it's not the look that you would like anyone to see certainly when they're using it um but typically you will get this whenever you have a search which is referencing the value within your within your input so in this case we've got a drop down it really doesn't matter whether i hit yes or no select one of those values and it will go and change that so uh runs a search and says hi there and a little bit of a better way to do this is to use a token and have that token uh use something called the depend uh the depends flag within the xml and you do have to dive into the xml for this and you can hide the the search so this is exactly the same block as before but this time we're not seeing that exclamation mark that block's been hidden again if we select yes or no it will run the search get high there again and as you start to get more used to this actually there's other things that you can do as well so um as well as the depends flag that i just mentioned there's also the rejects flag so we can um have states visible based on whether or something exists or whether something doesn't exist so again it's the same block as before but this time we've got a reject block which is simply select an option i select yes or no that vanishes and it comes back again and to show you just how easy how simple this really is we can uh show the xml for the dashboard so uh right from the top we've got the first row which is this one here and we've got our input all right can you zoom in just a little bit i think this is going to be especially on the recording yeah yeah that's good i always forget that bit thank you so yeah so yeah we've got our um we've got our first row here um another neat thing as well um a lot of people don't know is that you can actually put inputs into panels so rather than the input being right at the top you can have it in the panel is is kind of a good a it can easily be overused and can have issues with your layouts because there's a background associated with that which you can override with css but that's not usually the easiest thing to do but you can certainly add inputs into into panels rather than it being at the top if they're dependent you want to show them some of the time then it's kind of a good thing because you're not left with a blank um gap at the top but we've got our our input which is absolutely nothing fancy just a drop down the token is the the uh is the value of the of the input a couple of choices and that's it and we've got our table and you can see in our search we've got we're referencing our input here select view of one message of hi there and we're just removing the underscore time field from that and that's it when i select on it with a bit of drill down it then just sets the token of showro show two row i've done very well with naming conventions here capital letters underscores and um but if we go to the next one that i showed where we have that um where we had it hidden it was mentioned about the depends flag we've got that right here where we can see uh depends equals and then the show two results um so this is based on this search so again it's the same search the only difference is the token we can see select view one here select view two and that is mapped to this input because we don't have a we haven't selected anything this token is not set it is unset it's it doesn't exist as far as the search goes so the search is set at a waiting input because it's sat at awaiting input we don't have a state of done therefore this token of show two results has not been set and because of that we've got our depends flag um proving false because that token does not exist which is why we just had that single row with just a single input showing that and then we can go even further and we can see this time once we selected the the row so it's set this field this token here of show three row which is there and everything else is exactly the same except we've also now got this rejects flag underneath with a html block and that is show three results so exactly the same logic as before except this time we change it we're using show three results rather than show two and we're using rejects to view some hate uh to do some html that is pretty much it as far as um kind of a useful way of using tokens and um certainly view hiding and and showing different panels based on token state and as well how you can throttle searches based on whether tokens are set or not uh which is also quite handy to do and if you ever if you've ever had a look at my uh app that i've created called spl rehab you will uh and had a look at how that works you'll see that it does a lot of that where we've got a lot of unset tokens in searches to kind of manage how that how that runs are there any questions so far uh it's real good i don't know about reject so i'm not a question but i wanted to share a use case i've done that depends to to show different columns in the table so we've wanted to and maybe there's a better way of doing it but you know different people want to see different columns of just a radio button that saying which view they want and then yeah showing different panels based on that which is basically just loading off the same base search and doing a list of fields yeah definitely um another thing that's quite cool with um or a good workaround is the depends uh you can only have one depends condition you can't have multiple so if you happen to want to set a a to display a view based on multiple tokens um then um you can't do that on a single depends so i couldn't add and i couldn't have this row as depend show color show three row and then another depends show three results they have to be on separate um separate blocks however what you can do is you can have your row on a depends flag if you don't want to if you want to make sure that you don't show that row unless that token exists and then you can have your panel set to another one and if you've just got one panel in your row then that's a way of creating two depends conditions for a block and without it without hitting that limitation the other one is making use of rejects you can have it depends under rejects on the same block so you uh so you can almost use negative uh ways of getting it by having a depends under rejects on the same line it gets quite complicated at that point but it's certainly something you can do i think when what we ended up doing is just when they select an option set it and set some tokens based on which they want to see so i think we just had three different tokens and yeah it's nice so i think the next one might be quite useful is hidden text inputs um now this is where we start actually having a look at the data in my house so uh our lovely screen here we've got a category and what we want to do what we're going to do first is have a look at a few different elements so i'll show you how this dashboard works and then i'll show you how it works under the hood so first of all if i go and i'm interested in some batteries within my house and particularly my phone because um i'm terrible at making sure it stays on charge and we can see the battery for my uh for my phone over the last 24 hours um the last time it was 100 seems as though it was around five o'clock yesterday evening and um because i'm good i did not charge it overnight i am usually i wake up in the morning and half full of and i'm full of regret for not charging it but because we work from home charger but when you're commuting that's not good if you're like me and actually rely on your phone whilst on public transport anyway but get down to 18 i charged it and now it's around 91 which is good if i have a look at one of the motion sensors so have a look in the hallway at the motion sensor battery level there we can see that that's been pretty pretty flat all the way through and now if i want to have a look at some lights so just change this value here and we can see that this panel changed but also the drop down has changed but the the chart has vanished it's no longer there and my four-year-old i mentioned previously i want to have a look at what his light was like at night you know is it is it working as it should it should be on all throughout the night and it should be at a fairly low level we can have a look here and we can see that yeah it was he went to bed around 6 30 and it stayed at a low level throughout the whole night until he woke up at around there seven o'clock so we can see yeah that that worked exactly as it should um but we're quite happy as far as that goes if i go over to some motion sensors and just double check his room uh and i can see he's quite a restless sleeper and apart from at 9 30 motion was detected throughout the throughout the entirety of the night which is what i would expect really uh it's quite a sensitive sense it it's triggered quite easily and so is detected motion throughout his room in the night which is good if i go to temperature and you can see that this dashboard is basically resetting itself each time uh i guess actually before i do that i can go back to motion sensors we can see that that chart hasn't it will not reload something that people tend to do a different panel you know different flows as you go through and um won't reset kind of like sub tokens so as you go back to say you've finally gone to motion sensors temperature and then back to motion sensors um some people would have a um that chart display again because it's not been reset because usually it's a bit of a pain to have to deal with all that kind of logic especially as you add more and more things into a dashboard as you go further on if i just take some temperatures go into my study right now i can see it's quite a comfortable 20 degrees celsius so i i i should know what that i should have converted that to fahrenheit for this but um i didn't but 20 degrees celsius is quite nice it's quite a comfortable uh temperature for for me so i'm happy with that and can see that's all good now behind the scenes in order to i one one thing i could do is whenever i change this i could set load set and unset a load of different values that's one way of doing it if i all of a sudden want to change that logic though if i want to add a different element in entirely i have to take all those set and unset uh tokens and and and replicate it and as the dashboard gets bigger and bigger it becomes more difficult to go and do that so a really fun work around and you can there's the possibilities are kind of endless with this is to use um text inputs so we can see actually what the dashboard looks like behind the scenes and even though we have four different categories showing four different tables we're using we're showing the same table however we've only got three different charts so one of these one of these drop downs is actually ultimately reusing this this uh one of these charts again and this is all kind of driven by two hidden inputs so we've got a an input that is responsible for hiding basically unsetting everything and we've got one that's got some conditional logic baked in that goes okay well if you selected this then this is what i want to do and so if i go through the xml this kind of helps a little bit more we've got that we've got our drop down at the top here and we can see the battery the lights the motion the temperature the actual value for the values for those is pretty much the whole search as it was um and we've got this change event so whenever the value of this token changes then we want to do something so if the value is that then we know it's the battery that's been chosen there's probably a better way to do this um but in essence we're just identifying when we select the battery lights motion and temperature and we're actually telling that hide view input a text input that that's the value that we want to set it to batteries lights motion and temperature so if i go all the way to the bottom we've got this row here and it's on a depends flag but it's on a token called never show you could give it whatever you want but in essence i just kind of try and keep it something like never show as a token that i would never ever create and therefore it will never display or never show to er to the end user that this row exists and in here we've got our panel and we've got two inputs we've got our first which is hide view as a the token is hide view and it's text and the first thing to bear in mind when we're setting them is that we're actually setting arm dot token not just the token this goes and changes the actual value of the the input not the token under the under the hood um and that will then go and execute this change event we have it set to default just because it makes sure that it will always run um regardless of what happens um sometimes just kind of a good catch-all to be able to do that and then we've got our uh our own sets so we unset this time chart of rain this token of time shot range this one of time chart min time shot light selected and then we set as final our form dot show view token which is the value of the second input token and we're setting it to the value of this token so dollar value dollar this goes onto the next text input and this has conditional logic the reason you can't do both is you can't have a blanket set of unsets or sets and then have conditions within it see it's an either or kind of deal you can either have conditions or you can have the the set an onset and it's kind of easier and a little bit tidier to do it this way as well so we um the value of this has changed and then based on the condition so we've got battery temperature motion and lights and this will eventually ultimately set the time chart min time shot range time shot range and time shot light so it allows us to reuse the same chart for temperature and motion and keep separate ones for battery and lights but if i want to add anything later on i want to change something i don't have to go and edit i don't have to basically have a bunch of unsets which is what you would typically see and one set my macro there you go um which is what you would tend to see not within a change event but usually within drill down or something like that having it this way means you can really use all that logic again now the other good thing and we can see this in action actually if i go to here select battery we can see the hash mark the hashes around these charts showing that they would actually be hidden we can see the hashes around this box this panel as well showing it would be hidden if i type in temp that goes and changes this one straight away to temp and because i haven't changed the drop down here this will stay as it is because there's nothing that says this needs to set so it won't rerun the query however you could bolt it all together and go whenever that changes change the you know uh change the value back to whatever it should be on here just as a belt and braces thing and that's that can be quite useful certainly one uk use case where i've gone and done that is when i've been working with splunk cloud in quite a strict a restricted environment and i want to have a selectable button you can kind of make use of hidden inputs doing that by having a by having this kind of logic here and having a linked list button with one option when that's clicked that will then go and run this set and insert these these tokens um which basically act exactly the same as if you have um clicked on a button with a little bit of js behind the scenes to set and unset some tokens kind of a fun little use case it's a pain to set up but once it's set up it's easy um something i tend not to try and do um but you could also make use of this functionality for um for adding radio buttons but in a landscape kind of setting rather than rather than vertical which is what's there by default again can be quite complex doing that but it's something i've done in the past um one of my other favorites though is just having a a hidden text input to handle a token that's been set as you enter the dashboard i think if we go in this one here i edit it we can see that i've actually got the same thing going on here and that's how that's how i tend to prefer to pass tokens from one dashboard to the next um when i select this it goes and sets this form presentation name which is the hidden text input that you don't see to to drive that so um something that is you know universal really in its amount of uh applications the only downside from my own experience is that you can see the actual value within the url so if you want to try and hide it or anything like that then you kind you kind of can't use this but if you aren't bothered about showing whatever the value is then you can do this and it also makes it quite easy if someone tells you that their dashboard's not working for some re for some reason if you're basically handling all your your tokens in text inputs and when they copy the url and pass it over to you to have a look and see what's going on then you've already got the values of their tokens if it's a particularly complex dashboard you know exactly what's going on because you've got all their tokens already set um kind of a handy thing as well any questions there so just to kind of oh was there another question nothing that was me saying nope but you it so to summarize basically instead of just setting your token if you set form.token then it will trigger the change and let you do a lot of other stuff off of that yes yeah because normally if you just normally if you set a token there's nothing within a token there's no facility available within a token to say well if it's been set to this then actually i want to do this as well it's been set to this and i want to do this as well um whereas if you have set an input then you have that change event that you can then go and do that kind of conditional logic um so that's that one we go over to some css now now i have uh like i mentioned i've got some i've got a home assistant uh installation this also has node red and at the moment behind my computer screen i've got a smart light strip which is changing color every 10 seconds and the reason i'm telling you this is because it helps um give you an idea of exactly what's happening here so the background color is changing every 10 seconds based on what the background color of my light is transitioning to so and it's kind of just a bit of a fun way of just handling a bit of css and gives you an idea as to um the fact that you don't need to reload a dashboard to if there's if there's something with css that you that you need to change um one use case certainly for this uh you you will have seen it if you went onto the virtualracer.conf and saw the the dashboards that we put together each race was customized based on the um the race sponsor so the dashboard behind the scenes was exactly the same but we were using css to to handle all those colors to make them make them uh fit the sponsors uh brand new uh and this is basically doing exactly the same thing so we've got a few things happening uh that i can cover one is css and how that's handling here and how that works we've also got a base search running and we've also got color custom colors for the uh for the bar charts here as well so if i show you the xml and it also will then mean that you don't see the colors as much uh so we've got a base search um which i'll come back to but um in essence it's no different from any other search this is just driving the um the bar chart the one that we want to cover as far as css goes is this single panel this one here so this one has got a refresh set and you can set this in the ui of every 10 seconds we'll go and run uh the query to get the the current color for the light behind my screen and it's gonna go and set where is it oh the rgb color right there so it's gonna actually set the value of the rgb color field to rgb open brackets then the actual value of the rgb values is sent through from home assistant and then close it and that will then go and make sure that that's a valid css rgb um value and then we're basically just setting our description our color which is um just this bit within here so just the numbers and the rgb color itself and on the done state here we are setting result.rgb color to be just this token here of bg color and if we go underneath we can see just a little bit of css so we've got our row also using depends of never show here we've got a html with a style block and we've got the dashboard body set to the background color of the bg color token and because we're messing around with splunk's layouts we have to put the flag of exclamation mark important just to force it to make sure that it uses that value rather than anything else of precedence and we're also um for no real reason because it probably it impedes the uh the readability or can do we're also doing exactly the same with the single value so rather than color or background color or anything like that when we're changing the color of a single value we need to use the fill object and again we can use token and i think we also need to use important here and sometimes you do sometimes you don't um best practice is not to unless you really need to but that is how that's working because the values are changing by the token it's doing it without having to refresh anything on the dashboard it's just whenever the search is executed now for those that haven't used base searches before um this is kind of a really useful way of being able to run one search to get your results for most of your dashboard and then just display slightly different things based off that main search uh in many different panels rather than every single panel being a separate uh full-blown splunk search which can be quite expensive in essence it looks absolutely no different from a normal search we can see in the single value we've got search and we can ignore done and it's really query we've got our earliest and latest we can have refresh and things like that if we want to but in essence a base search needs to be nothing more than search block a query block earliest and latest uh the difference being that we have to have in our search an id so in this case if we uh we're setting our id to main base this runs this search we don't see it um but we can then reference it so here we've got our search block and here rather than id we have base equals and then main underscore base and we've got our query here and this um the ui sometimes has a bit of an issue with because it goes well actually if you don't want to do anything with your basics you just want your you just want to display your base search you in essence don't need a query but the ui doesn't like the fact that you have a search with no query and the ui you're not able to um reference a base search you have to go into the xml but in essence it's just these two things here um on top of this search which makes the full search that you see for this time chart down the bottom here and if you have a base search that is referenced over multiple different uh panels hitting the refresh button here will refresh all your panels because all your panels are driven off the main panel but once you get the hang of it it's quite a a really useful way to put some dashboards together there are a couple of caveats ideally you need a transforming search by that i mean you need to be using something like time chart stats chart one of those kind of commands that's gonna go and condense the uh your result count reason being i think you're limited to a thousand results that come off your base search um anything more than that they'll drop off but splunk won't tell you if you have a search that has a small amount of data that you don't run a transforming command on you can absolutely do that however in those instances you need to at least use the fields command um fields or table right at the end to specify the fields you're interested in otherwise a base search will send nothing through to your panel your panel will not display anything and then you'll spend ages wondering why on earth your data your search isn't working because it should be and then when you hit your expand search to open it up in the search screen it does display results which makes it even more confusing and that's three that's nine times out of ten the reason why the other reason why you have a results discrepancy is because you've gone over that thousand result threshold which is some both things i've spent many times trying to work out why it's not working and have then regretted uh life's choices so just be uh it's just been being mindful of that really yeah there's a whole article from side view from 2017 about the dangers of post-process searches so i just dropped that into chat for anyone who wants to dig awesome thank you and the last thing as well on this one is pretty simple it's just on the chart we can see we've got this charting dot series colors and this allows us to customize each bar to a specific color um problem here is it has to be a hex color i'll try it it could be rgb but i can get rgb to work um so typically it's best if you use hex colors for this um and it's just a an array such as this which will allow you to customize each individual element within the series quite useful um to be able to do that and yeah it's something i tend to prefer to do if i need if i need to hold the color state in here because we're showing literally the value the average values of red green and blue for a particular time period it makes sense to have the columns as red green and blue um but a little bit softer because if you put if you have the the full red green and blue with a dark theme then your eyes will hurt any other questions for now i had one if anybody else has anything uh my question was with um to which one did you do that with with a single where you set the the style of the single can you use ids to if you have multiple of those so if you specify an id it will carry through to css yes yeah yeah yeah so if you if you have single and then an id on there then yeah you can absolutely just control the uh the id okay for that uh the only thing that's annoying with id is that you cannot have multiple blocks with the same id on a splunk unlike us a splunk component so you would if you have say like five or six separate single um single values that you want to share across it share the same colors for and keep everything else different then you have to have five or six separate c uh ids and then reference each of those individually within css which quickly becomes quite a pain i haven't touched css in years but i think you can do like wild card selects yeah for cases like that but okay now it's good to know that it respects the the ideas and gets them through yeah the only thing the place where that doesn't apply is html blocks if you're messing around within html blocks so not the primary html block but one's underneath so div um table all those kind of ones you can assign the same id to those individual sub blocks um which again is quite handy if you're messing around with a lot of html and then then you can certainly go and do that and quite useful to be able to to change values within use html to have different like header panel titles and and headers and that kind of thing because with the splunk you're you you're usually tied to the title block within a chart or the title block of a panel um and i um i don't have much of an issue with the title block for for a chart but i really don't like that the title block for a panel is is not bold and is just slightly larger text um i'm personally not a fan of it in those in those cases where i have to have a bit more description then i'll use a html block well ids theoretically are supposed to be unique but can you use class have you tried that you can't use so this is a while ago i tried using class and gave up because it wouldn't work you couldn't from memory you couldn't do it with the splunk objects so like like the row the panel the single but again because of how the html blocks worked i would have been i could have done it within html blocks okay cool cool so as we go from there onto embedding now something that a few people have asked in the past is when we've done a dashboard can we make it publicly available on a website um the answer to that is usually no um but there is one feature which um has some people that like it some people that don't and it's within a safe search you can have uh there's an option to embed so you can create a safe search and then um select an option there to embed the search that will um allow you to uh that will create an iframe that you can then reference within a website and and view your chart there so this here is a safe search um it's motion by each of the the sensors that we've got in the house so um you can just have a trellis view across all of that now this is a set this is a safe search that's embedded if i select on it it'll open up the saved search so you can just see that it looks exactly the same i hit edit and we can see the main problem that we have with embedding and it's the you need if you want to change the search you have to disable embedding in order to edit the report now in some ways having this locked is a good thing because it does mean that no one can make any changes unless uh unless they really mean to and certainly if you've got something that's publicly uh viewable you don't want to be making changes every five minutes however when you do disable uh the embedding and re-enable a different tokens attached so then you've got to go back to the web team and you've got to get them to embed the new iframe because it's a different iframe than before and depending on the change process and exactly what it is that you want to change that can be a bit of a pain so for instance if i have a look here i can see that um i've got a sensor called upstair rather than upstairs as it should be and that's because my replace and rex wasn't particularly great for that but if i wanted to change that i would have to go and edit disable and and do that whole process that i just mentioned however there is a work there is a work around in order to be able to do some of that which is quite handy so we can see here exactly what the search is is doing it's running a macro and we've got our earliest and our latest so behind here it's going to be yeah there you go runs daily at midnight the range is the last 24 hours and these results were generated 18 hours ago we can see that that's true minus 24 hours an hour late is now schedule is midnight and the actual search that's being run is just this macro of motion by sensor and if i select this i'll see what the value of the macro is just in case anyone was wondering i'm using a few different rest commands to get all this information together again you could i really recommend if you want to have a look at the set you know your your config and settings um within you've got different use cases where you would think that it'd be useful to use them resp usually has your back with that and definitely recommend having a look that's a tangent so uh for the macro we can actually see it's the full search and the advantage of doing this is that it means that i can edit this macro i am not limited to having to disable my the embedding of my search to edit the search and then re-embed it again i can just edit the macro the macro is has no idea that it's been used in a safe search that's embedded so i could do that and do that change you can see here the regex that's actually removing um things like s's from the end um i think it's archies and bradleys and but it's also gonna affect things like upstairs and so i could remove that if i wanted to and then have the and just save them the macro at that point nothing changes the search is still going to be as it is until the next time it runs but the next time it runs it's going to run the new the updated macro it won't have any idea that the macro has changed it's just going to run the code within the macro and therefore you've updated your search without actually having to um do anything else it's quite useful um not many use cases i think for embedding but it's a it's a feature that's useful to know also useful to know the limitations and the work around if you need it within the macro as well because you can't edit the time range for this report but you can update the earliest and latest uh conditions within this particular macro so you could say earliest is i don't know minus 12 hours and latest is now um and then it will only run the last 12 hours because um as you may know earliest and latest in a search when specified takes precedence over um the time picker so again he's useful to me suspect that that will probably not be not be valid if you do that but i've not tested it i could be wrong any questions with that not a question but again a comment my guess was going to be that you're going to have another scheduled job and use load job but that i guess requires staggering them which which is a little more complicated but i like this this is nice oh so in what so if you have so if you schedule another job yeah all that this job embedded job says is just load the job then you can do whatever you want with it correct um however that is definitely one way of doing it and people that use search head clusters with uh objects that are not shared between the cluster and may have a difference of opinion on that though um to have it on all different outcomes yeah like load job um creates a search artifact and if the search artifacts aren't shared across the search head cluster then um you're not then you won't necessarily be able to call that load job to run the uh to run that safe search unless they were running off the same search end so it's just a limit it's a limitation with a load job and something to be aware of it's really something i should try and fix as well in sbl rehab because that makes use of low job a lot and um i know it has various degrees of success within search head clusters and if only had a search head cluster to test it so onto the last one uh version control now this is almost a direct to result of the freedom that you get with being able to do this um now you can do this with any knowledge object not necessarily dashboards but i'll show you how how i use it for dashboards uh so if i so i basically have one safe search and i call it dashboard version control this runs rest and it will uh call this endpoint data ui views now this is if anyone's spotted the url at the top this is the splint cloud instance for the splunk trust so i have my own app within here called westie's world um terrible name there we go and what i want to do is i just want to get the title the actual data and whether it was when it was last updated do a bit of modifications with that get the current date as now we're going to look up against the against a lookup i've got called sd dashboard version control and output the xml as stored xml and the reason i do this is that this actual rest api call is going to bring back a field of eai data and that is the actual xml for a dashboard which is what you've seen me do in other dashboards i've shown how i've shown you that xml without going into edit is just by running that same thing but specifying the dashboard that i want so this is going to get me all the dashboard all the xml to all the dashboards that i have within my app um it's i'm going to compare the xm the value of the xml field from rest versus what i've already stored in xml and if it is if i haven't stored it before or if that value has changed then um i'm going to append that to my version control lookup now you could do that it'd be much safe to do this in a kv store for instance and make sure that it's you know backed up and for my own personal prep for my own personal environment it's not something i'm going to go like around the the houses doing so i'm quite happy to store it in a csv but in essence it means that i've just got a csv with all my xml dashboard xmls and whenever i've made a change i've got that updated version so if i make a change to something and it breaks then i've already i've already got the previous version if i select this search here it's going to show you just what values are within that csv at the moment so we've captured these particular dashboards that are in my um in my app we've only gone and updated each one once since this report was created and if i go to uh if we get to the tokens dashboard that we started this presentation on we can see the xml is exactly the same except this time we're using the xml a stored within the lookup rather than the xml that was generated from the from the rest call which is what we were doing when we were actually viewing the xml originally in that part of the presentation but you can do like i said there's a rest npr apis for there's one for your com files and so in theory you could back up all your com files just by having a safe search and pulling in the details of your com files and then running um storing that detail out to look up the other thing as well as far as rest goes especially with that particular endpoint is if you combine that with a uh untable command then you could uh as long as you use it against your main identifying field which when you run on table you've got three fields the first field being the identifying field that things kind of get grouped by and then you've got two that you basically i will always call field and then value because your field name is the next column along and then your value is the value of that field but in essence you get a um an output that looks very very similar to beetle so if anyone that's had a look at beetle anyone that wants to see almost what your config files look like within a splunk search that's kind of a fun way of being able to do it and really useful especially if you're on splunk cloud because you don't have access to the back end system to see what values of your comp files are and so handy to be able to see that the only thing you won't get is the debug so which app that values is retrieved from but you do get um what what the actual power whatever that value is which is quite useful that is pretty much it is there any of the questions anybody else just fair warning my zoom is flaking out and keeps going to none not responding modes if i disappear well then i disappear in that case i'm going to take this opportunity right now to say thank you very much for giving up your lunchtime or spending your lunch time with me to come and for allowing me to show you these dashboarding tricks i am on the slack uh channels as uh westy so feel free to to get in touch if there's any questions you want to get uh that you want to ask afterwards um i'm usually i usually quite heavily monitor the dashboards channel within there as well so if there's any questions feel free to ask on there if i'm not on there answering it there's someone else that's equally helpful if not probably more so on there answering the question um as well really great place to find out any uh hints tips tricks and uh solutions to problems that you may or may not have with dashboards as well very cool third time around was uh did not disappoint this is excellent you might you might be coming back again you know i it's always been one of my uh favorite groups so thank you very much for having me and i'm always happy to attend any point if nothing else because you're actually having a fairly sociable time it's still daylight in the uk which is the fact that we have daylight at all is astounding but at the moment is especially amazing i think he zooms died so thank you very much everyone thank you thanks brandon uh okay maybe some of that gum come through uh my zoom froze completely yeah i kind of guess it was so i said thanks to everyone yeah all right you jump in on the boston slack channel if you're not in there already because that's where we talk about next topic bye everyone cheers thanks eugene thank you and i can't end the meeting because my zoom is frozen there we go no five second wait for each button click awesome i might have to leave this part in the recording i'm trapped in zoom forever please send help what are you doing oh oh wait can i wait no no come on ends meeting no oh sure

Info

Channel: Splunk User Community Experience

Views: 140

Rating: undefined out of 5

Keywords:

Id: B9PuOPfdxd0

Channel Id: undefined

Length: 54min 27sec (3267 seconds)

Published: Fri Mar 12 2021