Splunk tiles offer you an easy way to display data from your Splunk instance in a SquaredUp DS dashboard.
SquaredUp DS Standalone Enterprise edition (or above) is required for access to the Splunk tile, ServiceNow tile, Azure App Insights tiles, High Availability, and Team Folders. For more information about license pricing see pricing information. To upgrade please contact [email protected] To check the license edition you are using see How to check which license key is being used.
If you don't already have a Splunk provider, you need to create one before you can configure a Splunk tile (How to add a Splunk provider).
Add a new tile to a dashboard and click on Integrations > Splunk.
Select the visualization for your Splunk tile and click next.
A Scalar displays one value. A Scalar is useful to show a specific number like "total cost of my services" or "free disk space on this server". When a Data Stream returns multiple values (meaning a table with multiple rows), you will still be able to pick the Scalar visualization, but the Scalar will only show the value of the first row.
Example:
A table of data, for example incidents or tickets.
Tip: You can turn the individual rows into links in the settings. For example, if you're displaying tickets in your grid, you can link the rows to the ticket in your external ticket system.
Did you know? Since SquaredUp DS 5.4 users can search the grid, and temporarily change the column size and sorting of the grid (by clicking on the column headers) without having to access the settings. They can also expand a row by clicking on the three dots at the end of each row if cells are too small to show their entire content.
Shows time-series data over time, in a graph with an x-axis (time) and a y-axis. You can show several objects, such as servers, in one graph.
Example:
Visualizes time-series data as vertical columns.
Example:
Shows data over time (like line graphs), but each item gets its own graph instead of showing all lines in one graph.
Example:
Visualizes both a number and the resulting bar width based on the number value.
Example:
Shows the results in a donut shape.
Example:
Shows the state of items as icons with different colors. You can display just the icons or together with a description. You can also use a background image and drag the icons into position on the image.
Example:
Shows the state of items as blocks with different colors.
Example:
Provider: Select your Splunk provider from the select provider drop-down and click next.
You can only use providers of the same type as the tile. Providers of other types won't be shown in the select provider drop-down.
Search: Enter your Splunk search query using the Search Processing Language (SPL).
Since you want to display a single value, make sure that your search query returns a single row with a single value. If your query returns multiple columns, SquaredUp DS will pick one of them. If your query return multiple rows, SquaredUp DS counts the number of rows and displays the result as the value.
Tip for better performance: If you want to display the number of rows, use your Splunk search query to count the rows instead of letting SquaredUp DS count them.
There are no special requirements for Splunk search queries for grids.
Tip:
For some search queries, Splunk adds additional columns (system fields) to your search results, which you usually don't need. You can hide them by putting | fields - _* in your search query. This way, you don't have to hide them all manually in the grid column settings.
Example:
You need to replace my_index with the name of your index.
search index=my_index | fields - _*
The return data must include a column called _time. Most common Splunk commands for time series data (like bin, timechart, xyseries, etc.) produce a _time column.
Example:
You need to replace my_index with the name of your index.
search index=my_index | timechart span=1h count by host
There are no special requirements for Splunk search queries for Bar Graphs.
The return data must include a state column which must contain the following values:
healthy, critical, and/or warning (the values are not case-sensitive). Any other values will result in state unknown.
The state values define the color of the status icons or blocks:
Healthy
green
Warning
yellow
Critical
red
Unknown
gray
Filtering behavior of Splunk
Splunk will only return results that match your search query. If data doesn't fit your search, Splunk throws those results away. This means a search like eval state=case(count > 1000, "critical") will only return results with a case count bigger than 1000. Any results with less than 1000 cases will be discarded and you'll only see "critical" blocks or icons in the tile.
Example:
You need to replace my_index with the name of your index.
templates button: Allows you to import searches that are saved in your Splunk instance.
Which templates are available in a Splunk tile depends on the permissions of the Splunk user account that is used in the configuration of the Splunk provider. Any search queries that this user can access in Splunk (for example, queries in saved searches, Splunk reports, dashboards, etc.) are visible as templates in Splunk tiles. For example, if you used Splunk User A for the configuration of Splunk provider A, a Splunk tile that uses Splunk provider A will show all templates that are visible to Splunk User A in Splunk.
You can use the clock insert time value button to insert page timeframe and date variables in your query.
The insert time value button inserts time values into the query. Any settings selected from the timeframe section are also applied to further filter down the results of the query. So time settings from both the query and the timeframe affect the results shown, and should be used with care or you may not see all the data you were expecting.
The page timeframe is the timeframe setting a dashboard is currently using. These timeframes are all relative to the current time, for example 7 days ago until now. When a user changes the page timeframe, all tiles that have use page timeframe set will adapt to the new timeframe. (Tiles that do not have use page timeframe set (i.e. are set to specific timeframe or custom timeframe) are not affected and won't change.)
The custom option can be used to set timeframes using ISO 8601 format
SquaredUp DS does not support the week notation.
Possible scenario:
Avoid using a page timeframe shorter than the time span in the query, as this may not show any results.
Example: This search uses a fixed time span of 1 day:
search index=opp_events | timechart span=1d count by host
Timeframe setting: use page timeframe
When you set the page timeframe for the dashboard to "12 hours", the graph will be empty since there are no 24 hour results in the last 12 hours.
Solution: Instead of using a fixed time span, use the page timeframe in your search query. You can use the mustache picker to insert page timeframe values.
Example: This search uses a dynamic span with page timeframe:
The search now considers the currently set page timeframe. If the page timeframe is set to hours (like "last 12 hours"), it will search for results within a 1 hour span. If the page timeframe is set to anything else (like "last 6 months"), it will search for results within a 1 day span.
Timeframe:
The insert time value button inserts time values into the query. Any settings selected from the timeframe section are also applied to further filter down the results of the query. So time settings from both the query and the timeframe affect the results shown, and should be used with care or you may not see all the data you were expecting.
Optionally, you can set the timeframe outside of the search: Specific timeframe:
These timeframes allow you to set a fixed timeframe such as last 1 hour or last 7 days. You can use the sample relative timeframes button to get some examples for different timeframes. These timeframes are all relative to the current time, for example 7 days ago until now. Using this setting means that any change the user makes to the page timeframe is ignored.
The custom option can be used to set timeframes using ISO 8601 format
SquaredUp DS does not support the week notation.
If you used a template, SquaredUp DS inherits the timeframe you set for the search in Splunk and puts it in the timeframe field as a specific timeframe.
Possible scenario: You want to put a cap on the page timeframe that can be used, because if a search returns a lot of data, a long page timeframe like "last 6 months" would lead to long loading times.
Solution: Instead of setting the timeframe to use page timeframe, choose specific timeframe and create a limit for the page timeframe there. You can use the mustache picker to insert page timeframe values.
This specific timeframe limits the page timeframe to 7 days. If the current page timeframe is set to "last 7 days" or anything shorter than that, the search uses the page timeframe. If the current page timeframe is longer (like "last 6 months"), the search will disregard the page timeframe setting and use "last 7 days" instead.
use page timeframe: A dynamic timeframe that depends on the current page timeframe.
The page timeframe is the timeframe setting a dashboard is currently using. These timeframes are all relative to the current time, for example 7 days ago until now. When a user changes the page timeframe, all tiles that have use page timeframe set will adapt to the new timeframe. (Tiles that do not have use page timeframe set (i.e. are set to specific timeframe or custom timeframe) are not affected and won't change.)
The custom option can be used to set timeframes using ISO 8601 format
SquaredUp DS does not support the week notation.
Using page timeframe means your search query will adapt to the dynamic page timeframe.
While being able to change the timeframe dynamically brings a lot of flexibility for showing data over different timeframes in the same tile, it can also mean that some page timeframe settings are not ideal for your intended search:
The tile shows no data because the current page timeframe is too short for the fixed time span in your search query. In this case, you can use the page timeframe instead of fixed values in the search query
Possible scenario:
Avoid using a page timeframe shorter than the time span in the query, as this may not show any results.
Example: This search uses a fixed time span of 1 day:
search index=opp_events | timechart span=1d count by host
Timeframe setting: use page timeframe
When you set the page timeframe for the dashboard to "12 hours", the graph will be empty since there are no 24 hour results in the last 12 hours.
Solution: Instead of using a fixed time span, use the page timeframe in your search query. You can use the mustache picker to insert page timeframe values.
Example: This search uses a dynamic span with page timeframe:
The search now considers the currently set page timeframe. If the page timeframe is set to hours (like "last 12 hours"), it will search for results within a 1 hour span. If the page timeframe is set to anything else (like "last 6 months"), it will search for results within a 1 day span.
The loading time for the tile is very long because the current page timeframe is too long for the search query. In this case, you can use the page timeframe in the specific timeframe setting to put a cap on the page timeframe that can be used.
Possible scenario: You want to put a cap on the page timeframe that can be used, because if a search returns a lot of data, a long page timeframe like "last 6 months" would lead to long loading times.
Solution: Instead of setting the timeframe to use page timeframe, choose specific timeframe and create a limit for the page timeframe there. You can use the mustache picker to insert page timeframe values.
This specific timeframe limits the page timeframe to 7 days. If the current page timeframe is set to "last 7 days" or anything shorter than that, the search uses the page timeframe. If the current page timeframe is longer (like "last 6 months"), the search will disregard the page timeframe setting and use "last 7 days" instead.
Configure the settings for the visualization you chose:
Scalar
Font size
Allows you to set the font size of the value in the tile.
Alignment
Select the scalar text alignment. Choose from left, center or right.
Unit
Allows you to add a unit to the value displayed in the Scalar tile. For example, if your value shows a time in milliseconds, you can enter "ms" or if your value shows pageviews, you can enter "pageviews".
Value formatter
Allows you to format the value by using the mustache picker. For example, you can round the value up or down or convert it.
Color
Conditional formatting:
You can display the data in different colors based on values you define here. For example, you can display the data in green when the value is below 100 and in red when it is above 100.
Click on add to configure a condition.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the value property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Value is greater than something, less than something, etc. For example: {{value < 10}} (The color you pick will be used if the value is less than 10)
Value is present in the result (scalar tiles only) For example: value.IndexOf('error') != -1 (The color you pick will be used if the string value "error" is present in the results)
Value matches one of the regular expressions you defined (scalar tiles only) For example: value.match(/healthy|good|up/) (The color you picked will be used if the string values are healthy, good, or up)
Display:
Here you decide how the color is used:
Tile background
Highlight the tile in the color you defined.
Text foreground
Display the text in the color you defined.
Link options
Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is https://www.my-system/ticket-123, where 123 is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URL https://www.my-system/ticket-{{ticketID}}.
For scalars, you can only use the dynamic property value in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.
For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Dynamic mustache properties and values you need to change according to your instance are highlighted in bold.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Grid options
Row link
Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is https://www.my-system/ticket-123, where 123 is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URL https://www.my-system/ticket-{{ticketID}}.
For scalars, you can only use the dynamic property value in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.
For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Dynamic mustache properties and values you need to change according to your instance are highlighted in bold.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Show column headers
You can choose between showing or hiding the header for all columns.
Expand rows automatically
Activate this checkbox if you want the row height to expand automatically based on the row content, for example if your grid uses increased text size, images, emojis etc.
Limit number of results displayed
You can set a limit of the initial number of results displayed in the grid. If you have set a limit and there are more results to display, users will see a "show all" button below the grid.
Font size
Use the slider to adjust the font size.
Tip for column sizing: You can change the column width directly in the grid by clicking on the divider lines between columns and dragging them to the width you want. You need to show column headers (by activating the show column headers check box) to be able to change the column width. Resizing columns while in edit mode affects how the grid looks by default when users open the dashboard. Users can temporarily change the column sizes by dragging them, but those changes only last until they leave the page.
Threshold
You can choose to apply a threshold line at a specified value, and whether you wish to fill above or below this value, or just show the line. For example, for free disk space you might want to fill below the line to highlight when space goes below a particular threshold. For processor information you might want to fill above the line to highlight when processor percentage goes above that threshold. The threshold is also shown on the drilldown view.
Max, min, avg
When drilled-down to view a graph, you can select the min, max and avgoptions for each object (displayed to the right of the graph), which displays a line cutting horizontally across the graph a each of the selected value points.
Data range
The Data Range option allows you to choose the range of data the graph will display. For line graphs, this means the data on the y-axis.
percentage
Shows 0 to 100
fit to data
Shows the data minimum to data maximum
fit to data (from zero)
Shows from 0 to the data maximum
custom
Allows you to specify the min and max
custom fit
Allows you to specify the min and max limits, so that data outside your settings will not be shown. If all the data falls within your specified ranges then the y-axis range will fit to the data rather than your caps.
Display
Height:
Allows you to set the height of the tile with a slider.
Show hover details:
Shows the value for all lines at any point you hover. There may not be a value exactly where you hover so the value is interpolated from the values either side.
Show points:
Shows where the data points are on the line. Useful to identify missing points, or detail for changing data.
Show trend
Enable the Show Trend Linestoggle to display a trend line for the line graph data. Disable the toggle to hide the trend line.
Custom colors:
You can display the data in different colors based on labels. For example, you can display data in green for a specific user.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the label property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Condition is true if the label contains something For example: {{label.indexOf('SQL') != -1}} (The color you pick will be used if the label contains 'SQL')
Condition is true if the label contains multiple things For example: {{label.match(/C:|D:|E:/) != null}} (The color you pick will be used if the label contains 'C:', 'D:' or 'E:')
Condition is true if the label contains multiple things with multiple variations For example: {{label.match(/^[Ss]erver[0-9]+$/) != null}} (The color you pick will be used if the label is 'Server' or 'server' with a number after it)
Label
Allows you to change the label of the results.
Show legend:
Allows you to show or hide the legend of the graph.
Label:
auto
Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Threshold
You can choose to apply a threshold line at a specified value, and whether you wish to fill above or below this value, or just show the line. For example, for free disk space you might want to fill below the line to highlight when space goes below a particular threshold. For processor information you might want to fill above the line to highlight when processor percentage goes above that threshold. The threshold is also shown on the drilldown view.
Data range
The Data Range option allows you to choose the range of data the graph will display. For line graphs, this means the data on the y-axis.
percentage
Shows 0 to 100
fit to data
Shows the data minimum to data maximum
fit to data (from zero)
Shows from 0 to the data maximum
custom
Allows you to specify the min and max
custom fit
Allows you to specify the min and max limits, so that data outside your settings will not be shown. If all the data falls within your specified ranges then the y-axis range will fit to the data rather than your caps.
Display
Height:
Allows you to set the height of the tile with a slider.
Show hover details:
Shows the value for all lines at any point you hover. There may not be a value exactly where you hover so the value is interpolated from the values either side.
Solid bars:
Show the bars as solid color or translucent.
Custom colors:
You can display the data in different colors based on labels. For example, you can display data in green for a specific user.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the label property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Condition is true if the label contains something For example: {{label.indexOf('SQL') != -1}} (The color you pick will be used if the label contains 'SQL')
Condition is true if the label contains multiple things For example: {{label.match(/C:|D:|E:/) != null}} (The color you pick will be used if the label contains 'C:', 'D:' or 'E:')
Condition is true if the label contains multiple things with multiple variations For example: {{label.match(/^[Ss]erver[0-9]+$/) != null}} (The color you pick will be used if the label is 'Server' or 'server' with a number after it)
Label
Allows you to change the label of the results.
Show legend:
Allows you to show or hide the legend of the graph.
Label:
auto
Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Data Range
The Data Range option allows you to choose the range of data the graph will display. For line graphs, this means the data on the y-axis.
percentage
Shows 0 to 100
fit to data
Shows the data minimum to data maximum
fit to data (from zero)
Shows from 0 to the data maximum
custom
Allows you to specify the min and max
custom fit
Allows you to specify the min and max limits, so that data outside your settings will not be shown. If all the data falls within your specified ranges then the y-axis range will fit to the data rather than your caps.
Sort
Sort allows you to change the order of the results displayed. You can sort by value (ascending or descending) or label (alphabetically ascending or descending).
Label
Allows you to change the label of the results.
auto
Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Color
multiple colors
Here you can enable or disable graph color matching.
If you turn color matching on, one item (a specific resource, object, site, anything you are displaying in your graphs) is shown in the same color in different graphs on one dashboard. You can use either color matching or custom colors (colors based on values), they cannot both be used at the same time.
custom colors
Setting colors based on values
You can display the data in different colors based on values you define here. For example, you can display the data in green when the value is below 100 and in red when it is above 100.
Click on add to configure a condition.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the value property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Value is greater than something, less than something, etc. For example: {{value < 10}} (The color you pick will be used if the value is less than 10)
Value is present in the result (scalar tiles only) For example: value.IndexOf('error') != -1 (The color you pick will be used if the string value "error" is present in the results)
Value matches one of the regular expressions you defined (scalar tiles only) For example: value.match(/healthy|good|up/) (The color you picked will be used if the string values are healthy, good, or up)
You are able to combine value matching with label matching.
Setting colors based on labels
You can display the data in different colors based on labels. For example, you can display data in green for a specific user.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the label property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Condition is true if the label contains something For example: {{label.indexOf('SQL') != -1}} (The color you pick will be used if the label contains 'SQL')
Condition is true if the label contains multiple things For example: {{label.match(/C:|D:|E:/) != null}} (The color you pick will be used if the label contains 'C:', 'D:' or 'E:')
Condition is true if the label contains multiple things with multiple variations For example: {{label.match(/^[Ss]erver[0-9]+$/) != null}} (The color you pick will be used if the label is 'Server' or 'server' with a number after it)
You are able to combine label matching with value matching.
Data Range
The Data Range option allows you to choose the range of data the graph will display. For line graphs, this means the data on the y-axis.
percentage
Shows 0 to 100
fit to data
Shows the data minimum to data maximum
fit to data (from zero)
Shows from 0 to the data maximum
custom
Allows you to specify the min and max
custom fit
Allows you to specify the min and max limits, so that data outside your settings will not be shown. If all the data falls within your specified ranges then the y-axis range will fit to the data rather than your caps.
Sort
Sort allows you to change the order of the results displayed. You can sort by value (ascending or descending) or label (alphabetically ascending or descending).
Value
Value formatter
Allows you to format the value by using the mustache picker. For example, you can round the value up or down or convert it.
Label
Allows you to change the label of the results.
auto
Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Display
Vertical:
Tick this option to show vertical bars, otherwise horizontal bars are shown.
Bar width:
Allows you to set the width of the bars with a slider.
Color
multiple colors
Here you can enable or disable graph color matching.
If you turn color matching on, one item (a specific resource, object, site, anything you are displaying in your graphs) is shown in the same color in different graphs on one dashboard. You can use either color matching or custom colors (colors based on values), they cannot both be used at the same time.
custom colors
Setting colors based on values
You can display the data in different colors based on values you define here. For example, you can display the data in green when the value is below 100 and in red when it is above 100.
Click on add to configure a condition.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the value property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Value is greater than something, less than something, etc. For example: {{value < 10}} (The color you pick will be used if the value is less than 10)
Value is present in the result (scalar tiles only) For example: value.IndexOf('error') != -1 (The color you pick will be used if the string value "error" is present in the results)
Value matches one of the regular expressions you defined (scalar tiles only) For example: value.match(/healthy|good|up/) (The color you picked will be used if the string values are healthy, good, or up)
You are able to combine value matching with label matching.
Setting colors based on labels
You can display the data in different colors based on labels. For example, you can display data in green for a specific user.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the label property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Condition is true if the label contains something For example: {{label.indexOf('SQL') != -1}} (The color you pick will be used if the label contains 'SQL')
Condition is true if the label contains multiple things For example: {{label.match(/C:|D:|E:/) != null}} (The color you pick will be used if the label contains 'C:', 'D:' or 'E:')
Condition is true if the label contains multiple things with multiple variations For example: {{label.match(/^[Ss]erver[0-9]+$/) != null}} (The color you pick will be used if the label is 'Server' or 'server' with a number after it)
You are able to combine label matching with value matching.
Sort
Sort allows you to change the order of the results displayed. You can sort by value (ascending or descending) or label (alphabetically ascending or descending).
Value formatter
Allows you to format the value by using the mustache picker. For example, you can round the value up or down or convert it.
Display
Size mode:
Default
Displays the donut scaled to the height of the tile.
Fill
Enlarges the donut to use the whole width of the tile. If you chose the fill option and show the legend, you can define the size of the legend with a slider.
Show legend:
Allows you to show or hide the legend of the graph.
Table or Inline:
Show the legend as a separate table or as labels pointing to the segments. When using Inline you can also hide the segment values, and use the slider to change the size of the labels.
Show zero values in legend:
Will show legend items for values of zero which are otherwise missing from the donut.
Fixed height scrollable legend:
Sets the legend to a fixed height where you can scroll through the items. This means that the tile doesn't become too large if there are many items.
Display mode:
Allows you to switch between displaying absolute values or percentages.
Color palette:
Here you can choose between different color palettes.
Note: If there are more items than colors, the colors repeat from the beginning.
Tip for displaying priorities or health states: If you want to display priorities or health states from a data source that doesn't enrich the data with information about priority or health (like the SQL tile or external APIs), use the custom color option and map the results to the correct color. This way, you can make sure that healthy or low priority results are displayed in green, unhealthy or high priority results are displayed in red, etc. If you use the color palettes Priorities, Health1, or Health2 the colors get assigned depending on how the results are sorted, which doesn't guarantee that the colors make sense for the priority or state they represent.
General
10 different colors without specific meaning
Priorities
5 different colors representing 5 different priority states
Health1
3 different colors representing 3 different health states (red=unhealthy, green=healthy, gray=unknown)
Health2
4 different colors representing 4 different health states (red=critical, orange=unhealthy, green=healthy, gray=unknown)
Pastel
10 different pastel colors without specific meaning
Blue
4 different shades of blue from dark to light
Orange
4 different shades of orange from dark to light
Green
4 different shades of green from dark to light
Pink
4 different shades of pink from dark to light
Custom
Setting colors based on values
You can display the data in different colors based on values you define here. For example, you can display the data in green when the value is below 100 and in red when it is above 100.
Click on add to configure a condition.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the value property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Value is greater than something, less than something, etc. For example: {{value < 10}} (The color you pick will be used if the value is less than 10)
Value is present in the result (scalar tiles only) For example: value.IndexOf('error') != -1 (The color you pick will be used if the string value "error" is present in the results)
Value matches one of the regular expressions you defined (scalar tiles only) For example: value.match(/healthy|good|up/) (The color you picked will be used if the string values are healthy, good, or up)
You are able to combine value matching with label matching.
Setting colors based on labels
You can display the data in different colors based on labels. For example, you can display data in green for a specific user.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the label property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:
Condition is true if the label contains something For example: {{label.indexOf('SQL') != -1}} (The color you pick will be used if the label contains 'SQL')
Condition is true if the label contains multiple things For example: {{label.match(/C:|D:|E:/) != null}} (The color you pick will be used if the label contains 'C:', 'D:' or 'E:')
Condition is true if the label contains multiple things with multiple variations For example: {{label.match(/^[Ss]erver[0-9]+$/) != null}} (The color you pick will be used if the label is 'Server' or 'server' with a number after it)
You are able to combine label matching with value matching.
Filtering behavior of Splunk
Splunk will only return results that match your search query. If data doesn't fit your search, Splunk throws those results away. This means a search like eval state=case(count > 1000, "critical") will only return results with a case count bigger than 1000. Any results with less than 1000 cases will be discarded and you'll only see "critical" blocks or icons in the tile.
Link options
item link:
Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is https://www.my-system/ticket-123, where 123 is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URL https://www.my-system/ticket-{{ticketID}}.
For scalars, you can only use the dynamic property value in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.
For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Dynamic mustache properties and values you need to change according to your instance are highlighted in bold.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Label
Allows you to change the label of the results.
name
Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Sublabel
Allows you to add a sublabel of the results.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
none
By default, no sublabels are shown.
Sort
Sort allows you to change the order of the results displayed. You can also group them by their characteristics.
default
By default, the sorting of depends on the data source. This can be alphabetical sorting or the order in which data comes back from an API request.
sort by
Sort by label, health state, or health state + availability where objects are sorted by availability (offline or maintenance mode) as well as health state. Ascending or descending
group by
Group by label, health state, or health state + availability where objects are Grouped by availability (offline or maintenance mode) as well as health state, for example Error (Available) and Error (Unavailable). Ascending or descending
Limit:
Allows you to define a maximum number of that will be shown. When 'group by' is used the limit applies to each group individually, for example to show 10 in each health state.
Image
Here you can choose one of the provided images or upload your own. Tip: If you want a different selection of maps, you can download more at https://freevectormaps.com/
Supported image formats: png, jpg, jpeg, gif, tif, tiff. svg, bmp Tip: SVG images resize best since they are vector images.
File size limit: 10MB
Image size: Images fill the size of the tile, which means you can resize the image by adjusting the tile's size. The size of the tile also depends on the screen the dashboard is being viewed on.
Icons
Here you can customize the icons on the image:
You can change the size of the icons with the slider
You can change the shape of the icons (square or circle)
You can drag the icons on the image into position
Display styles for Status icons
This setting is not done in a panel, you can change the display style even after you finished configuring the tile.
You can use toggle zoom button at the top right of the tile to change between the different ways Status icons can be displayed.
One long list
Column list
Icons only
Filtering behavior of Splunk
Splunk will only return results that match your search query. If data doesn't fit your search, Splunk throws those results away. This means a search like eval state=case(count > 1000, "critical") will only return results with a case count bigger than 1000. Any results with less than 1000 cases will be discarded and you'll only see "critical" blocks or icons in the tile.
Link options
item link:
Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is https://www.my-system/ticket-123, where 123 is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URL https://www.my-system/ticket-{{ticketID}}.
For scalars, you can only use the dynamic property value in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.
For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Dynamic mustache properties and values you need to change according to your instance are highlighted in bold.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Label
Allows you to change the label of the results.
name
Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
Sublabel
Allows you to add a sublabel of the results.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
Property names that contain hyphens (for example properties.name-with-hyphens) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:
If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens. For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format: Original property name: {{properties.name-with-hyphens.value}} New format: {{properties['name-with-hyphens'].value}}
none
By default, no sublabels are shown.
Sort
Sort allows you to change the order of the results displayed. You can also group them by their characteristics.
default
By default, the sorting of depends on the data source. This can be alphabetical sorting or the order in which data comes back from an API request.
sort by
Sort by label, health state, or health state + availability where objects are sorted by availability (offline or maintenance mode) as well as health state. Ascending or descending
group by
Group by label, health state, or health state + availability where objects are Grouped by availability (offline or maintenance mode) as well as health state, for example Error (Available) and Error (Unavailable). Ascending or descending
Limit:
Allows you to define a maximum number of that will be shown. When 'group by' is used the limit applies to each group individually, for example to show 10 in each health state.
Blocks
Here you can set the number of columns for the blocks, their height and the font size within the blocks.
Click done to save the tile. The tile now shows data according to your search.
Using page timeframe means your search query will adapt to the dynamic page timeframe.
While being able to change the timeframe dynamically brings a lot of flexibility for showing data over different timeframes in the same tile, it can also mean that some page timeframe settings are not ideal for your intended search:
The tile shows no data because the current page timeframe is too short for the fixed time span in your search query. In this case, you can use the page timeframe instead of fixed values in the search query
Possible scenario:
Avoid using a page timeframe shorter than the time span in the query, as this may not show any results.
Example: This search uses a fixed time span of 1 day:
search index=opp_events | timechart span=1d count by host
Timeframe setting: use page timeframe
When you set the page timeframe for the dashboard to "12 hours", the graph will be empty since there are no 24 hour results in the last 12 hours.
Solution: Instead of using a fixed time span, use the page timeframe in your search query. You can use the mustache picker to insert page timeframe values.
Example: This search uses a dynamic span with page timeframe:
The search now considers the currently set page timeframe. If the page timeframe is set to hours (like "last 12 hours"), it will search for results within a 1 hour span. If the page timeframe is set to anything else (like "last 6 months"), it will search for results within a 1 day span.
The loading time for the tile is very long because the current page timeframe is too long for the search query. In this case, you can use the page timeframe in the specific timeframe setting to put a cap on the page timeframe that can be used.
Possible scenario: You want to put a cap on the page timeframe that can be used, because if a search returns a lot of data, a long page timeframe like "last 6 months" would lead to long loading times.
Solution: Instead of setting the timeframe to use page timeframe, choose specific timeframe and create a limit for the page timeframe there. You can use the mustache picker to insert page timeframe values.
This specific timeframe limits the page timeframe to 7 days. If the current page timeframe is set to "last 7 days" or anything shorter than that, the search uses the page timeframe. If the current page timeframe is longer (like "last 6 months"), the search will disregard the page timeframe setting and use "last 7 days" instead.
One long list
Column list
Icons only
