Splunk Enterprise plugin
Visit our website to see the data that you can access if you use this plugin to add the data source to SquaredUp:
Monitor any events or metrics and retrieve reports from your Splunk Enterprise environment using custom SPL queries.
Note: This data source is an on-premises data source.
An on-premises data source connects a service running in your internal network to SquaredUp. They require an agent installed on a machine that has access to your internal network.
Note: This data source is of great use in addition to other data sources. It enables you to get different kinds of data and insights about objects that have been indexed by other data sources.
How to add a Splunk Enterprise data source
Configure and deploy an agent
If you have already created an agent in SquaredUp that you can use for this data source, you can skip this step and choose the agent group you want to use while adding the data source.
Create a unique API key for your agent and add the agent to an agent group in SquaredUp.
You create an API key by creating an agent in SquaredUp:
Go to Settings > Relay and add an Agent.
Give the new agent a name and a description that helps you identify where the agent is installed. For example:
Name: server1.domain.localDescription: Test server in production domain
Choose the Agent Group for this agent:
If you already have agent groups, assign it to an existing group and click create.
If you don't have any agent groups yet or want to assign the new agent to a new group, leave the Agent Groups field empty and click create. Then create the agent group by clicking on Add Agent Group and select the new agent in the Agents field for the new group.
After you created the agent, the API key for this agent will be shown to you. Copy the key and store it until you inserted the key into the configuration of the agent you want to deploy on your machine.
The API key will only be displayed to you once. If you lose this API key, you need to generate a new one (by creating a new agent) and any references to the old API key in the configuration of the agent you deployed on your machine will need to be updated.
- The agent status will show as gray until the next stage of configuring the service is completed successfully.
Deploy the agent on a machine that has access to the service the data source connects to.
Download the latest release of the SquaredUp agent zip file, by clicking the download icon under Options next to the agent you have just added.
Prerequisites for agentsThe agent needs to run on a Windows machine that has access to the entry point for the on-premises data source
Make sure the agent is able to make outbound connections on port 443 (no inbound required) to SquaredUp, *.amazonaws.com and Microsoft APIs (Azure Relay).
Optional DNS-based restrictions: *.servicebus.windows.net
For information about Relay Agent versions see Release Notes - Relay Agent
On a Windows machine, with access to the entry point your data source needs to use, extract the downloaded zip file.
In the folder of the extracted zip file, open PowerShell as an administrator and run the following command:
Copy./Install-SQUPAgent.ps1 -ApiKey "key" -AsService -ServiceSuffix "name" -ServiceAccount domain\username
Parameters to replace:
-ApiKey "key"
Mandatory Replace key
with the API key you created for the agent in SquaredUp-AsService
Recommended Run the agent as a service on the machine -ServiceSuffix "name"
Optional To change the default service name of squpagent replace name
with your new service name.-ServiceAccount domain\username
Optional To run the agent as a domain service account (for example, for the SCOM data source), provide the username as domain\username
and it will prompt for the password when it sets up the service-InstallPath
Optional Specify a folder location for where the agent will be installed. If this is not specified then the agent will be installed in the folder where the zip file is extracted. Consider restricting access to the folder where the agent is installed to prevent anyone from updating or viewing the configuration files.
Configure a domain service account using the installation script, for example:
./Install-SQUPAgent.ps1 -ApiKey "key" -AsService -ServiceAccount domain\username
where
key
is the API key, anddomain\username
is the domain service accountAlternatively, in Services > SquaredUp Cloud Agent > Properties select the account on the Log On tab.
Use a dedicated user account for the agent's service identity. Create a special service account for this domain service account, do not use an existing user account.
The account (typically a service account) needs to have the log on as a service permission.
Adjust any permissions for the service and start the service.
How to start the agent serviceYou can start the agent service from Services > SquaredUp Cloud Agent, or using PowerShell using either:
Start-Service -Name <ServiceName>
Where
<ServiceName>
should be replaced with the service name shown in brackets in the upgrade script output (or Properties of the service).For example:
Start-Service -Name squpagent
or
Start-Service -DisplayName <DisplayName>
Where
<DisplayName>
should be replaced with the service name shown before the brackets in the upgrade script output (or Properties of the service).How to find the agent folder location or Service name in PropertiesLook at the Properties of the SquaredUp Cloud Agent service:
On the server running the agent, open Services
Scroll down to the SquaredUp Cloud Agent in the list
Right-click on the SquaredUp Cloud Agent service and then Properties
Here you can see the Service name, Display name and Path to the agent folder.
You can also start or stop the service from here.
- Check the agent status in SquaredUp Settings > Relay
Running the agent as a domain service accountBy default, the SquaredUp agent service uses the local system identity, but this can be changed to a domain service account if required, for example for the SCOM data source.
Add a Splunk Enterprise data source in SquaredUp
To add a data source click on the + next to Data Sources on the left-hand menu in SquaredUp. Search for the data source and click on it to open the Configure data source page.
Display Name:
Enter a name for your data source. This helps you to identify this data source in the list of your data sources.
Agent Group:
Select the Agent Group that contains the agent(s) you want to use.
Splunk Enterprise URL:
Enter the URL for your Splunk Enterprise server.
For accessing your Splunk instance you need to enter either a token or your Splunk user name and password.
If you use a token:
Create a token in your Splunk instance and paste it in here.If you use your Splunk user name and password:
Enter the user name and password you use to log in to your Splunk instance.Ignore Certificate errors:
If you activate this checkbox the data source will ignore certificate errors when accessing the Splunk Enterprise server.
Optionally, select whether you would like to restrict access to this data source instance. By default, restricted access is set to off.
Restrict access to this data sourceThe term data source here really means data source instance. For example, a user may configure two instances of the AWS data source, one for their development environment and one for production. In that case, each data source instance has its own access control settings.
By default, Restrict access to this data source is set to off. The data source can be viewed, edited and administered by anyone. If you would like to control who has access to this data source, switch Restrict access to this data source to on.
Use the Restrict access to this data source dropdown to control who has access to the workspace:
By default, the user setting the permissions for the data source will be given Full Control and the Everyone group will be given Link to workspace permissions.
Tailor access to the data source, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the data source by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the organization.
At least one user or group must be given Full Control.
Admin users can edit the configuration, modify the Access Control List (ACL) and delete the data source, regardless of the ACL chosen.
Data source access levelsAccess Level:
Link to workspace
- User can link the data source to any workspace they have at least Editor permissions for.
- Data from the data source can then be viewed by anyone with any access to the workspace.
User can share the data source data with anyone they want.
User cannot configure the data source in any way, or delete it.
Full Control - User can change the data source configuration, ACL, and delete the data source.
See Access control for more information.
Click Add.
You can also add a data source from Settings > Data Sources > Add data source, but sample dashboards are not added when using this method.
The data source is now added. To be able to use it, you need to create a custom Data Stream for this data source.
Using the Splunk data streams
Data streams standardize data from all the different shapes and formats your tools use into a straightforward tabular format. While creating a tile you can tweak data streams by grouping or aggregating specific columns. Depending on the kind of data, SquaredUp will automatically suggest how to visualize the result, for example as a table or line graph.
Data streams can be either global or scoped:
Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").
Data streams are installed with this data source.
How to create a data stream for this data source:
Create a data stream using the configurable data stream (simplest option) see Creating a data stream using a configurable data stream
Write a custom data stream (advanced use) see Writing a custom data stream (advanced users)
Creating a data stream using a configurable data stream
A configurable data stream allows you to easily create new data streams specific to your needs, by entering information into a form, such as metric names or queries. Configurable data streams have a cog icon next to their name in the tile editor.
Any data stream you create can be edited by clicking the edit button (pencil) next to it in the tile editor, and also from Settings > Advanced > Data Streams.
Reports
This data stream retrieves reports (recent single searches) from Splunk.
In the tile editor, filter by the Splunk Enterprise data source, select the Reports data stream and then click Next.
Select a report from the Report dropdown.
If the report involves a timeframe (for example, Errors in the Last 24 Hours), select the Use Timeframe checkbox.
For faster searches, we recommend to leave theUse Timeframe checkbox selected if your query doesn't specify a timeframe. Otherwise it will scan the entire dataset.
Click Save.
SPL Query
This data stream calls an API endpoint to query your Splunk instance, and allows you to enter a custom query.
In the tile editor, filter by the Splunk Enterprise data source, select the SPL Query data stream and then click Next.
You can either select the scoped SPL Query data stream or the global SPL Query data stream.
If you selected the scoped SPL Query data stream, select the objects you want to use and then click Next.
You do not need to do this if you have selected the global SPL Query data stream.
Enter a Query.
Click Save.
A mustache parameter is a dynamic value, the actual value will be inserted to replace the field in curly braces. For example, {{timeframe.start}}
will insert the start time based on the timeframe configured within the tile, or {{name}}
will insert the name of the object(s) in scope.
This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this data source will send the query multiple times, once for each object. The results are then displayed together, for example in a single table.
You can use properties of objects and write them in between curly braces e.g {{name}}
to use them as mustache parameters. Whenever you use mustache parameters, you need to use a scope of objects that contain the property you're referencing.
For example, if objects of type "host" have a property called name
, you can use {{name}}
. This will resolve {{name}}
to the value of the name property of the different "host" objects used in the scope.
Writing a custom data stream (advanced users)
Go to Settings > Data Streams.
Click Add new Data Stream.
Enter a display name for your Data Stream.
Note: The display name is the name that you use to identify your Data Stream in SquaredUp. It has no technical impact and doesn't need to be referenced in the Data Stream's code.
Choose the Data Source this Data Stream is for.
After you've chosen the data source a new field Entry Point appears.
Entry point and code:
What is an entry point?Each data stream uses an entry point, which can either be global (unscoped) or scoped, and this determines whether the data stream uses the tile scope.
Data streams can be either global or scoped:
Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").
To find out which entry point to select and get code examples for the Code field, see the help below.
Click Save to save your Data Stream.
Example 1: Get Windows Event Log Entries for Given Hosts
Note: This Data Stream uses Host objects which need to come from a different data source (for example, from the VMware vCenter data source), and performs a query to get Windows application log event messages.
Which entry point do I have to select from the dropdown?
Splunk Enterprise Query (Scoped)
Code example:
{
"name": "SplunkAppEventsForHost",
"dataSourceConfig": {
"query": "search source=\"WinEventLog:Application\" | where host = \"{{name}}\" | fields host,Message"
},
"matches": {
"type": {
"type": "equals",
"value": "host"
}
},
"rowPath": [],
"metadata": [
{ "name": "_indextime", "displayName": "Timestamp", "shape": "date", "role": "timestamp" },
{ "name": "host", "displayName": "Host", "shape": "string" },
{ "name": "Message", "displayName": "Message", "shape": "string", "role": "value" }
]
}
name
Mandatory
The internal name of the data stream. Can be used the refer to this data stream in a tile's JSON instead of using the data stream's internal ID.
dataSourceConfig
Parameters
query | Mandatory You can use mustache parameters in the query. What is a mustache parameter? A mustache parameter is a dynamic value, the actual value will be inserted to replace the field in curly braces. For example, This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this data source will send the query multiple times, once for each object. The results are then displayed together, for example in a single table. You can use properties of objects and write them in between curly braces e.g For example, if objects of type "host" have a property called |
ignoreTimeFrame | Optional You can add the What is the dashboard timeframe? The dashboard timeframe is the current timeframe setting for a dashboard. Users can change the dashboard timeframe to see data for a different time span, for example, instead of showing data from "the last 12 hours" it can be changed to show data from "the last 7 days". Tiles can be configured to:
Tip: Indicate with the name of a tile if the tile's timeframe can be changed. For example, naming a tile "Performance during the last week" tells users that this tile always shows data for the last week. Naming a tile just "Performance" indicates to users that changing the dashboard timeframe will change the data. |
matches
Parameters
Note: Defining the matches
parameter is mandatory.
With the matches
parameter you define for which objects the data stream will be shown in SquaredUp. It works like this:
When you configure a tile, you have to choose its scope. If this scope contains objects you specified here in the matches
parameter, the data stream will be shown in SquaredUp under Data Streams. If the scope doesn't contain objects specified here, the data stream will be hidden.
This keeps things clean and simple since you'll only see the data stream when it's relevant for the scope you chose. As a best practice you should limit the data stream to objects that make sense for the specific use case of this data stream.
Format for matches
:
//If you want to specify only one value of an object property//
"matches": {
"ObjectProperty": {
"type": "equals",
"value": "ValueOfTheObjectProperty"
}
},
//If you want to specify multiple values for an object property//
"matches": {
"ObjectProperty": {
"type": "oneOf",
"values": ["ValueOfTheObjectProperty1", "ValueOfTheObjectProperty2", "ValueOfTheObjectProperty3"]
}
},
Example for limiting a data stream to objects:
If you are using multiple values for the object property, you can decide if you want the data stream to be visible for objects that match all of the criteria or at least one of the criteria.
Lets say you have two values you want objects to have in order for the data stream to be visible for them:
a
SourceName
property with the valueAppDynamics
(meaning objects that come from the AppDynamics data source)a
type
property with the valueapp
(meaning application objects)
If you want the data stream to be visible only for objects that match both of the criteria, your code would look like this:
"matches": {
"sourceName": {
"type": "equals",
"value": "AppDynamics"
},
"type": {
"type": "equals",
"value": "app"
}
},
If you want the data stream to be visible for objects that match at least one of the criteria, your code would look like this:
"matches": [
{
"sourceName": {
"type": "equals",
"value": "AppDynamics"
}
},
{
"type": {
"type": "equals",
"value": "app"
}
}
]
Note: If you run into errors when configuring the matches
parameter, check if you're dealing with a global entry point.
Data streams can be either global or scoped:
Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").
Global entry points can't use specific objects in the matches
parameter. You can identify global entry points by their name, they have "Global", "No Scope" or "Unscoped" added to their name.
There are two possible options for the matches parameter for global entry points:
"matches": "none", | When creating a tile, the Data Stream will be shown as long as no scope is selected. As soon as a scope is selected, the Data Stream will be hidden. |
"matches": "all", | When creating a tile, the Data Stream will be shown as soon as any scope is selected. |
metadata
Parameter
Optional, but recommended
The metadata
parameters are used to describe columns in order to tell SquaredUp what to do with them. You can do multiple things with the metadata
parameters:
Specify how SquaredUp should interpret the columns you return and - to an extent - how their content displayed. You do this by giving each column a shape.
The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link.
Filter out or just hide columns.
Only the columns you define in
metadata
will be returned in the results. This helps you to filter out columns you don't need. If you need the content of a column but don't want to display it, you can use thevisible
parameter.Give columns a nicely readable display name.
Assign a specific role to columns
The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role
value
to the column that contains the actual value you want to use in your visualization.
Note: If you don't specify any metadata, all columns will be returned and SquaredUp will do its best to determine which columns should be used for which purpose. If you're returning pretty simple data, for example just a string and a number, this can work fine. But if you're returning two columns with numbers it gets trickier for SquaredUp to figure out which one is the value and which one is just an ID or some other number.
Parameters:
Tip: Before you start specifying metadata, leave them empty at first and get all the raw data with your new data stream once. In order to do this, finish creating your custom data stream without metadata and create a tile with this data stream. The Table visualization will show you all raw data.
This will give you an overview about all columns and their content and help you decide which columns you need and what their shapes and roles should be. It's also essential for getting the correct column name to reference in the name
parameter.
Use this information to go back to the data stream configuration and specifying the metadata.
name | Mandatory | Enter the name of the column you are referencing here. To find the name of a column, get the data from this data stream once without any metadata. See the tip above for how to do that. You'll see the column name when you hover over the column in the Table. |
displayName | Optional | Here you can give the column a user-friendly name |
shape | Recommended | The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link. Note: Please refer to the list of shapes below this table to see available shapes. |
role | Recommended | The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role Note: Please refer to the list of roles below this table to see available roles. |
visible | Optional |
Use this if you need a columns content but don't need to display the column itself. Example: Column A contains the full link to a ticket in your ticket system. Column B contains the ticket ID. You want to use the ticket ID as a label for the link, turning the long URL into a much nicer to read "Ticket 123". This is why you need the content of column B, to assign it as a label for column A. But since the URL is now displayed as the ticket ID, it would be redundant to still display column B. This is why you hide column B with |
There are many different shapes you can use for your columns and the list of possible shapes gets expanded constantly:
Basic types, like:
boolean
,date
,number
,string
Currency types that get displayed with two decimal values and their currency symbol (for example $23,45), like:
currency
(generic currency),eur
,gbp
,usd
Data types, like:
bytes
,kilobytes
,megabytes
Time types, like:
seconds
,milliseconds
,timespan
The status type :
state
Utility types, like:
customUnit
url
(will be displayed as a link)
Tip:
Some shapes can be configured.
If a shape is configurable, you can edit how the shape displays data in SquaredUp.
label | A column containing user-friendly names. Line Graphs use this role to group data into series. so each label will get its own line in the Line Graph. |
link | A column containing a link that can be used as a drilldown in Status Blocks. |
timestamp | A column containing a date to use on the X -axis of a Line Graph. |
unitLabel | A column containing user-friendly labels for data series, e.g. ‘Duration’. Line Graphs can use this role to label the Y-axis. |
value | A column containing the numeric value you want to use in your visualization. |
Example 2: Get Results for Saved Report
Note: This Data Stream uses the Splunk Enterprise organization object and doesn't rely on objects coming from other data sources.
Which entry point do I have to select from the dropdown?
Splunk Enterprise Query (Scoped)
Code example:
{
"name": "SplunkRunMySavedReport",
"dataSourceConfig": {
"query": "| savedsearch mySavedReport | fields host,Message"
},
"matches": {
"sourceType": { "type": "equals", "value": "Splunk Enterprise Organization" }
},
"rowPath": [],
"metadata": [
{ "name": "_indextime", "displayName": "Timestamp", "shape": "date", "role": "timestamp" },
{ "name": "host", "displayName": "Host", "shape": "string" },
{ "name": "Message", "displayName": "Message", "shape": "string", "role": "value" }
]
}
name
Mandatory
The internal name of the data stream. Can be used the refer to this data stream in a tile's JSON instead of using the data stream's internal ID.
dataSourceConfig
Parameters
query | Mandatory You can use mustache parameters in the query. What is a mustache parameter? A mustache parameter is a dynamic value, the actual value will be inserted to replace the field in curly braces. For example, This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this data source will send the query multiple times, once for each object. The results are then displayed together, for example in a single table. You can use properties of objects and write them in between curly braces e.g For example, if objects of type "host" have a property called |
ignoreTimeFrame | Optional You can add the What is the dashboard timeframe? The dashboard timeframe is the current timeframe setting for a dashboard. Users can change the dashboard timeframe to see data for a different time span, for example, instead of showing data from "the last 12 hours" it can be changed to show data from "the last 7 days". Tiles can be configured to:
Tip: Indicate with the name of a tile if the tile's timeframe can be changed. For example, naming a tile "Performance during the last week" tells users that this tile always shows data for the last week. Naming a tile just "Performance" indicates to users that changing the dashboard timeframe will change the data. |
matches
Parameters
Note: Defining the matches
parameter is mandatory.
With the matches
parameter you define for which objects the data stream will be shown in SquaredUp. It works like this:
When you configure a tile, you have to choose its scope. If this scope contains objects you specified here in the matches
parameter, the data stream will be shown in SquaredUp under Data Streams. If the scope doesn't contain objects specified here, the data stream will be hidden.
This keeps things clean and simple since you'll only see the data stream when it's relevant for the scope you chose. As a best practice you should limit the data stream to objects that make sense for the specific use case of this data stream.
Format for matches
:
//If you want to specify only one value of an object property//
"matches": {
"ObjectProperty": {
"type": "equals",
"value": "ValueOfTheObjectProperty"
}
},
//If you want to specify multiple values for an object property//
"matches": {
"ObjectProperty": {
"type": "oneOf",
"values": ["ValueOfTheObjectProperty1", "ValueOfTheObjectProperty2", "ValueOfTheObjectProperty3"]
}
},
Example for limiting a data stream to objects:
If you are using multiple values for the object property, you can decide if you want the data stream to be visible for objects that match all of the criteria or at least one of the criteria.
Lets say you have two values you want objects to have in order for the data stream to be visible for them:
a
SourceName
property with the valueAppDynamics
(meaning objects that come from the AppDynamics data source)a
type
property with the valueapp
(meaning application objects)
If you want the data stream to be visible only for objects that match both of the criteria, your code would look like this:
"matches": {
"sourceName": {
"type": "equals",
"value": "AppDynamics"
},
"type": {
"type": "equals",
"value": "app"
}
},
If you want the data stream to be visible for objects that match at least one of the criteria, your code would look like this:
"matches": [
{
"sourceName": {
"type": "equals",
"value": "AppDynamics"
}
},
{
"type": {
"type": "equals",
"value": "app"
}
}
]
Note: If you run into errors when configuring the matches
parameter, check if you're dealing with a global entry point.
Data streams can be either global or scoped:
Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").
Global entry points can't use specific objects in the matches
parameter. You can identify global entry points by their name, they have "Global", "No Scope" or "Unscoped" added to their name.
There are two possible options for the matches parameter for global entry points:
"matches": "none", | When creating a tile, the Data Stream will be shown as long as no scope is selected. As soon as a scope is selected, the Data Stream will be hidden. |
"matches": "all", | When creating a tile, the Data Stream will be shown as soon as any scope is selected. |
metadata
Parameter
Optional, but recommended
The metadata
parameters are used to describe columns in order to tell SquaredUp what to do with them. You can do multiple things with the metadata
parameters:
Specify how SquaredUp should interpret the columns you return and - to an extent - how their content displayed. You do this by giving each column a shape.
The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link.
Filter out or just hide columns.
Only the columns you define in
metadata
will be returned in the results. This helps you to filter out columns you don't need. If you need the content of a column but don't want to display it, you can use thevisible
parameter.Give columns a nicely readable display name.
Assign a specific role to columns
The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role
value
to the column that contains the actual value you want to use in your visualization.
Note: If you don't specify any metadata, all columns will be returned and SquaredUp will do its best to determine which columns should be used for which purpose. If you're returning pretty simple data, for example just a string and a number, this can work fine. But if you're returning two columns with numbers it gets trickier for SquaredUp to figure out which one is the value and which one is just an ID or some other number.
Parameters:
Tip: Before you start specifying metadata, leave them empty at first and get all the raw data with your new data stream once. In order to do this, finish creating your custom data stream without metadata and create a tile with this data stream. The Table visualization will show you all raw data.
This will give you an overview about all columns and their content and help you decide which columns you need and what their shapes and roles should be. It's also essential for getting the correct column name to reference in the name
parameter.
Use this information to go back to the data stream configuration and specifying the metadata.
name | Mandatory | Enter the name of the column you are referencing here. To find the name of a column, get the data from this data stream once without any metadata. See the tip above for how to do that. You'll see the column name when you hover over the column in the Table. |
displayName | Optional | Here you can give the column a user-friendly name |
shape | Recommended | The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link. Note: Please refer to the list of shapes below this table to see available shapes. |
role | Recommended | The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role Note: Please refer to the list of roles below this table to see available roles. |
visible | Optional |
Use this if you need a columns content but don't need to display the column itself. Example: Column A contains the full link to a ticket in your ticket system. Column B contains the ticket ID. You want to use the ticket ID as a label for the link, turning the long URL into a much nicer to read "Ticket 123". This is why you need the content of column B, to assign it as a label for column A. But since the URL is now displayed as the ticket ID, it would be redundant to still display column B. This is why you hide column B with |
There are many different shapes you can use for your columns and the list of possible shapes gets expanded constantly:
Basic types, like:
boolean
,date
,number
,string
Currency types that get displayed with two decimal values and their currency symbol (for example $23,45), like:
currency
(generic currency),eur
,gbp
,usd
Data types, like:
bytes
,kilobytes
,megabytes
Time types, like:
seconds
,milliseconds
,timespan
The status type :
state
Utility types, like:
customUnit
url
(will be displayed as a link)
Tip:
Some shapes can be configured.
If a shape is configurable, you can edit how the shape displays data in SquaredUp.
label | A column containing user-friendly names. Line Graphs use this role to group data into series. so each label will get its own line in the Line Graph. |
link | A column containing a link that can be used as a drilldown in Status Blocks. |
timestamp | A column containing a date to use on the X -axis of a Line Graph. |
unitLabel | A column containing user-friendly labels for data series, e.g. ‘Duration’. Line Graphs can use this role to label the Y-axis. |
value | A column containing the numeric value you want to use in your visualization. |
Example 3: Get Time-Series Data for Metric
Note: This Data Stream uses the Splunk Enterprise organization object and doesn't rely on objects coming from other data sources.
Which entry point do I have to select from the dropdown?
Splunk Enterprise Query (Scoped)
Code example:
{
"name": "SplunkMpoolUsedMetric",
"dataSourceConfig": {
"query": "| mstats avg(\"spl.mlog.mpool.used\") WHERE \"index\"=\"_metrics\" span=60s chart=true"
},
"matches": {
"sourceType": { "type": "equals", "value": "Splunk Enterprise Organization" }
},
"rowPath": [],
"metadata": [
{ "name": "_time", "displayName": "Timestamp", "shape": "date", "role": "timestamp" },
{ "name": "avg(spl.mlog.mpool.used)", "displayName": "Value", "shape": "number", "role": "value" }
]
}
name
Mandatory
The internal name of the data stream. Can be used the refer to this data stream in a tile's JSON instead of using the data stream's internal ID.
dataSourceConfig
Parameters
query | Mandatory You can use mustache parameters in the query. What is a mustache parameter? A mustache parameter is a dynamic value, the actual value will be inserted to replace the field in curly braces. For example, This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this data source will send the query multiple times, once for each object. The results are then displayed together, for example in a single table. You can use properties of objects and write them in between curly braces e.g For example, if objects of type "host" have a property called |
ignoreTimeFrame | Optional You can add the What is the dashboard timeframe? The dashboard timeframe is the current timeframe setting for a dashboard. Users can change the dashboard timeframe to see data for a different time span, for example, instead of showing data from "the last 12 hours" it can be changed to show data from "the last 7 days". Tiles can be configured to:
Tip: Indicate with the name of a tile if the tile's timeframe can be changed. For example, naming a tile "Performance during the last week" tells users that this tile always shows data for the last week. Naming a tile just "Performance" indicates to users that changing the dashboard timeframe will change the data. |
matches
Parameters
Note: Defining the matches
parameter is mandatory.
With the matches
parameter you define for which objects the data stream will be shown in SquaredUp. It works like this:
When you configure a tile, you have to choose its scope. If this scope contains objects you specified here in the matches
parameter, the data stream will be shown in SquaredUp under Data Streams. If the scope doesn't contain objects specified here, the data stream will be hidden.
This keeps things clean and simple since you'll only see the data stream when it's relevant for the scope you chose. As a best practice you should limit the data stream to objects that make sense for the specific use case of this data stream.
Format for matches
:
//If you want to specify only one value of an object property//
"matches": {
"ObjectProperty": {
"type": "equals",
"value": "ValueOfTheObjectProperty"
}
},
//If you want to specify multiple values for an object property//
"matches": {
"ObjectProperty": {
"type": "oneOf",
"values": ["ValueOfTheObjectProperty1", "ValueOfTheObjectProperty2", "ValueOfTheObjectProperty3"]
}
},
Example for limiting a data stream to objects:
If you are using multiple values for the object property, you can decide if you want the data stream to be visible for objects that match all of the criteria or at least one of the criteria.
Lets say you have two values you want objects to have in order for the data stream to be visible for them:
a
SourceName
property with the valueAppDynamics
(meaning objects that come from the AppDynamics data source)a
type
property with the valueapp
(meaning application objects)
If you want the data stream to be visible only for objects that match both of the criteria, your code would look like this:
"matches": {
"sourceName": {
"type": "equals",
"value": "AppDynamics"
},
"type": {
"type": "equals",
"value": "app"
}
},
If you want the data stream to be visible for objects that match at least one of the criteria, your code would look like this:
"matches": [
{
"sourceName": {
"type": "equals",
"value": "AppDynamics"
}
},
{
"type": {
"type": "equals",
"value": "app"
}
}
]
Note: If you run into errors when configuring the matches
parameter, check if you're dealing with a global entry point.
Data streams can be either global or scoped:
Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").
Global entry points can't use specific objects in the matches
parameter. You can identify global entry points by their name, they have "Global", "No Scope" or "Unscoped" added to their name.
There are two possible options for the matches parameter for global entry points:
"matches": "none", | When creating a tile, the Data Stream will be shown as long as no scope is selected. As soon as a scope is selected, the Data Stream will be hidden. |
"matches": "all", | When creating a tile, the Data Stream will be shown as soon as any scope is selected. |
metadata
Parameter
Optional, but recommended
The metadata
parameters are used to describe columns in order to tell SquaredUp what to do with them. You can do multiple things with the metadata
parameters:
Specify how SquaredUp should interpret the columns you return and - to an extent - how their content displayed. You do this by giving each column a shape.
The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link.
Filter out or just hide columns.
Only the columns you define in
metadata
will be returned in the results. This helps you to filter out columns you don't need. If you need the content of a column but don't want to display it, you can use thevisible
parameter.Give columns a nicely readable display name.
Assign a specific role to columns
The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role
value
to the column that contains the actual value you want to use in your visualization.
Note: If you don't specify any metadata, all columns will be returned and SquaredUp will do its best to determine which columns should be used for which purpose. If you're returning pretty simple data, for example just a string and a number, this can work fine. But if you're returning two columns with numbers it gets trickier for SquaredUp to figure out which one is the value and which one is just an ID or some other number.
Parameters:
Tip: Before you start specifying metadata, leave them empty at first and get all the raw data with your new data stream once. In order to do this, finish creating your custom data stream without metadata and create a tile with this data stream. The Table visualization will show you all raw data.
This will give you an overview about all columns and their content and help you decide which columns you need and what their shapes and roles should be. It's also essential for getting the correct column name to reference in the name
parameter.
Use this information to go back to the data stream configuration and specifying the metadata.
name | Mandatory | Enter the name of the column you are referencing here. To find the name of a column, get the data from this data stream once without any metadata. See the tip above for how to do that. You'll see the column name when you hover over the column in the Table. |
displayName | Optional | Here you can give the column a user-friendly name |
shape | Recommended | The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link. Note: Please refer to the list of shapes below this table to see available shapes. |
role | Recommended | The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role Note: Please refer to the list of roles below this table to see available roles. |
visible | Optional |
Use this if you need a columns content but don't need to display the column itself. Example: Column A contains the full link to a ticket in your ticket system. Column B contains the ticket ID. You want to use the ticket ID as a label for the link, turning the long URL into a much nicer to read "Ticket 123". This is why you need the content of column B, to assign it as a label for column A. But since the URL is now displayed as the ticket ID, it would be redundant to still display column B. This is why you hide column B with |
There are many different shapes you can use for your columns and the list of possible shapes gets expanded constantly:
Basic types, like:
boolean
,date
,number
,string
Currency types that get displayed with two decimal values and their currency symbol (for example $23,45), like:
currency
(generic currency),eur
,gbp
,usd
Data types, like:
bytes
,kilobytes
,megabytes
Time types, like:
seconds
,milliseconds
,timespan
The status type :
state
Utility types, like:
customUnit
url
(will be displayed as a link)
Tip:
Some shapes can be configured.
If a shape is configurable, you can edit how the shape displays data in SquaredUp.
label | A column containing user-friendly names. Line Graphs use this role to group data into series. so each label will get its own line in the Line Graph. |
link | A column containing a link that can be used as a drilldown in Status Blocks. |
timestamp | A column containing a date to use on the X -axis of a Line Graph. |
unitLabel | A column containing user-friendly labels for data series, e.g. ‘Duration’. Line Graphs can use this role to label the Y-axis. |
value | A column containing the numeric value you want to use in your visualization. |