Splunk ships with some really neat visualisation options. From bar charts to gauges. Though sometimes they just don’t fit your requirements.

Wether that be something as simple as an custom icon or a super-slick D3 visualisation, Splunk’s framework makes it really easy to display your data in many number of ways.

One of the things I get asked a lot is: “Can we have a traffic light?”. The answer – yes! Let me show you how to light Splunk up in this post.

The Basics

You might have used Splunk’s built in rangemap command. It’s pretty awesome. You can group results based on defined ranges within your search. For example:

... | rangemap field=count low=0-0 elevated=1-100 default=severe

This example sets the value of each event’s range field to “low” if its count field is 0 (zero); “elevated”, if between 1-100; “severe”, otherwise.

Using rangemap we now have a great foundation to start playing with how the search results are displayed.

For example, using a Single Value Panel in a dashboard you can add colour to the value depending on it’s severity. Red for bad, green for good. You get the idea.

Splunk will do this automatically when you use the default ranges (low, guarded, elevated, high and severe) because the default Splunk CSS has already mapped these categories to the colours: green, blue, yellow, orange and red, respectively.

You can make your own categories by editing the application.css for a particular app. For example this defines a colour for a Single Value Panel:

.SingleValue .purple { background-color: #660066; color: #ffffff; }

Here we have defined a CSS class that can be referred to by the range name purple (i.e purple=100-200).

Just remember that you will need to edit the dashboard Single Value Panel XML to make the colour show up. In simple XML:

<option name = "classField" > range </option>

You promised traffic lights!

The next step is to associate an image to a range. We can do this in CSS like this:

.single-value { background-repeat: no-repeat; padding-left: 60px; /* Push the text over so that it doesn't sit on top of the image. Change this according to the dimensions of your image. */ padding-top: 40px; height:100px; } .single-value.low{ background-image: url('green-light-39x100.png'); /* Replace with your image. See http://goo.gl/yxW7O */ }

Save the stylesheet and traffic light image in:

$APPHOME > appserver > static

Then all you need to do is reference the stylesheet in your dashboards XML:

<dashboard stylesheet="YOUR_STYLESHEET_NAME.css">

This code will show the image “green-light-39×100.png: in a single value panel when the result is within the specified low range.

To use more lights than just green we just need to add new images to the other range classes. This will switch the image displayed as the output value moves between ranges.

To make things easier for you: I’ve packaged all the setup instructions and example code into an app you can clone to build your own apps from. You can grab it here.

Once you’ve made it through the traffic

You should also download the Dashboard Examples app. This app contains guided instructions on how to build tons of new visualisations and views into your Splunk dashboards.

----------------------------------------------------

Thanks!

David Greenwood