How to use the Splunk tile
About Splunk tiles
Splunk tiles offer you an easy way to display data from your Splunk instance in a Dashboard Server dashboard.
A Connect edition license (or above) is required for this feature. To upgrade please contact sales@squaredup.com.
How to configure a Splunk tile
If you don't already have a Splunk provider, you need to create one before you can configure a Splunk tile (How to add a Splunk provider).
Add a new tile to a dashboard and choose the Splunk tile.
Select the visualization for your Splunk tile and click next.
ScalarA single value such as a number of customers or incidents.
Example:
GridA table of data, for example incidents or tickets.
Tip: You can turn the individual rows into links in the settings. For example, if you're displaying tickets in your grid, you can link the rows to the ticket in your external ticket system.
Did you know? Since Dashboard Server 5.4 users can search the grid, and temporarily change the column size and sorting of the grid (by clicking on the column headers) without having to access the settings. They can also expand a row by clicking on the three dots at the end of each row if cells are too small to show their entire content.
Line GraphShows data over time, in a graph with an x-axis (time) and a y-axis. You can show several objects, such as servers, in one graph.
Example:
SparklinesShows data over time (like line graphs), but each item gets its own graph instead of showing all lines in one graph.
Example:
Bar GraphVisualizes both a number and the resulting bar width based on the number value.
Example:
DonutShows the results in a donut shape.
Example:
Status IconsShows the state of items as icons with different colors. You can display just the icons or together with a description. You can also use a background image and drag the icons into position on the image.
Example:
Status BlocksShows the state of items as blocks with different colors.
Example:
Scope:
Select the scope for your tile (optional).
Scope options on dashboardsTip: If you experience any problems with scoping tiles, you'll find FAQs and help in the article How to scope tiles.
Note: By default, results are shown across all subscriptions (unless the subscription option is chosen to specify only one or more subscriptions).
Filter by tenant By default results are shown across all tenants. In Dashboard Server 4.7 and above a user who has access to multiple tenants will see a filter by tenant option.
If you see the message "You do not have access to all of the tenants currently selected" or "Tenant ID could not be resolved"In a multi-tenant environment a user who does not have access to all tenants will see this message if they attempt to edit a scope containing tenants that they do not have access to. This may be because:
- One Dashboard Server admin has added a tile scoped to tenants that other Dashboard Server admins do not have permissions to.
- The customer/tenant is no longer serviced by this Customer Service Provider (CSP), so the tenant has been permanently removed for all Dashboard Server admins.
Symptoms
A tile scope shows:
"You do not have access to all of the tenants currently selected. Click here to reset which will remove those tenants from the scope."
Tenants the user does not have access to show as:
"Tenant ID could not be resolved"
Procedure
The message warns users that they do not have permissions to all the tenants in the scope.
If the user chooses to reset and therefore edit the scope then the tenants that they do not have access to will be removed. If saved this scope will also have those tenants removed for users who do have access to them.
It is not possible for the user to edit the scope without those tenants being removed from the scope.
Where a tenant has been removed permanently you may wish to reset the scope to remove the unresolvable tenants.
List List allows you to select several individual items to show.
You can add multiple
items . To remove anitem click the x to the right of its name.Tip: Start typing and after two characters you'll see suggestions that match the name appear.
Note: It depends on the tile what happens when you select more than one item. For example, when you select two virtual machines for a Status tile, you'll see the status of those VMs individually. When you select two virtual machines for a Cost Management tile, you'll see the cost for the two VMs added together.
Resource group Select one or more resource groups.
Filter by type:
Tick filter by type to only show resources of a particular type within the chosen resource group.
Subscription Select one or more subscriptions from the dropdown box if you wish to restrict results to only one or more subscriptions. When this is not used results are shown across all subscriptions.
Filter by type:
Tick filter by type to only show resources of a particular type within the chosen subscription.
Tags Select items with a particular tag. Add the tag name and the tag value you want to use to search for. If you select multiple tags, the search automatically 'ANDs' the tags which means the scope only contains items which are tagged with all the tags listed.
Filter by type:
Tick filter by type to only show resources of a particular type within the chosen tag(s).
Type Scope type can be used to show all resources of a particular type, for example all databases across all subscriptions, by typing
databases
and selectingSQL databases
.Show hidden types This works in the same way as the Show hidden types option in the Azure portal.
Hidden types include some ancillary resources which are created/managed by Azure infrastructure. It might be useful to display these resources when cleaning up your resource groups or subscriptions.
Scope options on perspectivesNote: If you never used a perspective, you should read Working with perspectives before scoping tiles on perspectives.
The power of perspectives is that tiles on a perspective can use a dynamic scope. A dynamic scope considers the currently viewed
resource . A dynamic scope consists of two different states:the configuration of the scope in the tile (for example, "consider child objects of type logical disk for the currently viewed object")
the actual resolved scope that depends on which
resource you are currently viewing ("this object has 5 child objects of type logical disk")
After configuring the dynamic scope once in the tile, you'll get different results depending how the scope is resolved on the different
resources you are viewing.On perspectives, you can scope tiles to:
this resource
(only on perspectives for resources)The tile's scope will be the resolved to the resource that is currently viewed. child resources
(only on perspectives for resource groups and subscriptions)When you select this option, the scope of the tile will be resolved to all resources that are in the group or subscription that is currently viewed.
If you want to narrow the scope down to a specific type of resource in the group or subscription, you can filter for one specific type of resource.
other resources Gives you the normal, non-dynamic scope options you are used to when scoping tiles on dashboards. This means the tile will not dynamically adapt it's content to the currently viewed
resource , it will always show data for the staticresource picked here.Since the power of perspectives is that their tiles can show data for different
resources depending on whatresource is currently being viewed, you should only select this option when you are sure that there is no relationship between the desired scope and the currently viewedresource .Notefor selecting the scope for Status Icons or Blocks When you select a resource group in the resource group section, the status for resources within that resource group will be shown.
Provider:
Select your Splunk provider from the select provider drop-down and click next.
You can only use providers of the same type as the tile. Providers of other types won't be shown in the select provider drop-down.
Search:
Enter your Splunk search query using the Search Processing Language (SPL).
Queries for ScalarsSince you want to display a single value, make sure that your search query returns a single row with a single value. If your query returns multiple columns, Dashboard Server will pick one of them. If your query return multiple rows, Dashboard Server counts the number of rows and displays the result as the value.
Tip for better performance: If you want to display the number of rows, use your Splunk search query to count the rows instead of letting Dashboard Server count them.
Queries for GridsThere are no special requirements for Splunk search queries for grids.
Tip:
For some search queries, Splunk adds additional columns (system fields) to your search results, which you usually don't need. You can hide them by putting
| fields - _*
in your search query. This way, you don't have to hide them all manually in the grid column settings.Example:
You need to replace
my_index
with the name of your index.Copysearch index=my_index | fields - _*
Queries for Line GraphsThe return data must include a column called
_time
. Most common Splunk commands for time series data (likebin
,timechart
,xyseries
, etc.) produce a_time
column.Example:
You need to replace
my_index
with the name of your index.Copysearch index=my_index | timechart span=1h count by host
Queries for SparklinesThe return data must include a column called
_time
. Most common Splunk commands for time series data (likebin
,timechart
,xyseries
, etc.) produce a_time
column.Example:
You need to replace
my_index
with the name of your index.Copysearch index=my_index | timechart span=1h count by host
Queries for Bar GraphsThere are no special requirements for Splunk search queries for Bar Graphs.
Queries for DonutsThere are no special requirements for Splunk search queries for Donuts.
Queries for Status Icons and BlocksThe return data must include a
state
column which must contain the following values:healthy
,critical
, and/orwarning
(the values are not case-sensitive). Any other values will result in stateunknown
.The state values define the color of the status icons or blocks:
Healthy
green Warning
yellow Critical
red Unknown
gray Filtering behavior of Splunk
Splunk will only return results that match your search query. If data doesn't fit your search, Splunk throws those results away. This means a search like
eval state=case(count > 1000, "critical")
will only return results with a case count bigger than 1000. Any results with less than 1000 cases will be discarded and you'll only see "critical" blocks or icons in the tile.Example:
You need to replace
my_index
with the name of your index.Copysearch index=my_index | stats count by host | eval state=if(count> 1000,"critical","healthy")
templates button:
Allows you to import searches that are saved in your Splunk instance.
Which templates are available in a Splunk tile depends on the permissions of the Splunk user account that is used in the configuration of the Splunk provider. Any search queries that this user can access in Splunk (for example, queries in saved searches, Splunk reports, dashboards, etc.) are visible as templates in Splunk tiles. For example, if you used Splunk User A for the configuration of Splunk provider A, a Splunk tile that uses Splunk provider A will show all templates that are visible to Splunk User A in Splunk.
mustache picker:
You can use the mustache picker to use the page timeframe in your search queries.
If you defined a scope, you can use the mustache picker to insert values that refer only to the defined scope.
What is the page timeframe?The page timeframe is the timeframe setting a dashboard
or perspective is currently using. When a user changes the page timeframe, all tiles that use the page timeframe will adapt to the new timeframe. Tiles that don't use the dynamic page timeframe aren't affected and won't change.Using the page timeframe in the search queryPossible scenario:
You want to avoid that it is possible to use a page timeframe shorter than the time span in the search query, because in that case the graph would show no results.Example:
This search uses a fixed time span of 1 day:Copysearch index=opp_events | timechart span=1d count by host
Timeframe setting: use page timeframe
When you set the page timeframe for the dashboard to "12 hours", the graph will be empty since there are no 24 hour results in the last 12 hours.
Solution:
Instead of using a fixed time span, use the page timeframe in your search query. You can use the mustache picker to insert page timeframe values.Example:
This search uses a dynamic span with page timeframe:CopySearch query: search index=opp_events | timechart span={{timeframe.isoDuration.startsWith("PT") ? '1h' : '1d'}} count by host
Timeframe setting: use page timeframe
The search now considers the currently set page timeframe. If the page timeframe is set to hours (like "last 12 hours"), it will search for results within a 1 hour span. If the page timeframe is set to anything else (like "last 6 months"), it will search for results within a 1 day span.
Using the scope in the search queryValues that refer to the defined scope carry the prefix
scope.
before the value. For example, you can use the value{{scope[0].displayName}}
for the name of the first item in your scope. You can manipulate the values with javascript syntax. For example, if you want to insert a quoted comma separated list of displayNames from every item in the scope, you can use{{scope.map(item => '"'+item.displayName+'"').join(',')}}
.Timeframe:
Here you set the timeframe for your search:
specific timeframe:
A fixed timeframe for the search. You can use the timeframe button to get some examples for different timeframes. If you want to create your own timeframe, use the Splunk syntax for timeframes.
If you used a template, Dashboard Server inherits the timeframe you set for the search in Splunk and puts it in the timeframe field as a specific timeframe.
You can use the mustache picker to use page timeframe values in the specific timeframe field.
What is the page timeframe?The page timeframe is the timeframe setting a dashboard
or perspective is currently using. When a user changes the page timeframe, all tiles that use the page timeframe will adapt to the new timeframe. Tiles that don't use the dynamic page timeframe aren't affected and won't change.Using the page timeframe in the specific timeframe fieldPossible scenario:
You want to put a cap on the page timeframe that can be used, because if a search returns a lot of data, a long page timeframe like "last 6 months" would lead to long loading times.Solution:
Instead of setting the timeframe to use page timeframe, choose specific timeframe and create a limit for the page timeframe there. You can use the mustache picker to insert page timeframe values.Example:
timeframe setting: specific timeframeCopy{{timeframe.unixStart < Date.now()-(86400*7*1000) ? '-7d' : timeframe.isoStart}}
This specific timeframe limits the page timeframe to 7 days. If the current page timeframe is set to "last 7 days" or anything shorter than that, the search uses the page timeframe. If the current page timeframe is longer (like "last 6 months"), the search will disregard the page timeframe setting and use "last 7 days" instead.
If you defined a scope, you can use the mustache picker to create a specific timeframe that considers the scope
Using the scope in the specific timeframe fieldIf you defined a scope, you can use the mustache picker to insert values that refer only to the defined scope.
Using the scope with fixed values
You can use fixed values for creating a specific timeframe that considers the scope.Example:
You want to create a timeframe that considers how many items are in the scope. If there are less than 100 items, you want the timeframe to be 12 hours, if there are more than 100 items, you want the timeframe to be 1 day.timeframe setting: specific timeframe
Copy{{scope.length > 100 ? '-12h' : '-1d'}}
Using the scope with the page timeframe
You can use the dynamic page timeframe for creating a specific timeframe that considers the scope.Example:
You want to create a timeframe that puts a cap on the page timeframe that can be used depending on the size of the scope. If the scope has more 100 items in it, you want the longest possible page timeframe setting to be 1 day (this means if the page timeframe is set to "last 12 hours", the page timeframe will be used, but if it is set to "last 6 months", this will be ignored and 1 day will be used). If the scope has less than 100 items in it, you want the timeframe to adjust to any page timeframe.timeframe setting: specific timeframe
Copy{{ timeframe.unixStart < Date.now()-(86400*1000) && scope.length > 100 ? '-1d' : timeframe.isoStart }}
use page timeframe:
A dynamic timeframe that depends on the current page timeframe.Tips for using the page timeframeThe page timeframe is the timeframe setting a dashboard
or perspective is currently using. When a user changes the page timeframe, all tiles that use the page timeframe will adapt to the new timeframe. Tiles that don't use the dynamic page timeframe aren't affected and won't change.Using page timeframe means your search query will adapt to the dynamic page timeframe.
While being able to change the timeframe dynamically brings a lot of flexibility for showing data over different timeframes in the same tile, it can also mean that some page timeframe settings are not ideal for your intended search:
The tile shows no data because the current page timeframe is too short for the fixed time span in your search query. In this case, you can use the page timeframe instead of fixed values in the search query
Using the page timeframe in the search queryPossible scenario:
You want to avoid that it is possible to use a page timeframe shorter than the time span in the search query, because in that case the graph would show no results.Example:
This search uses a fixed time span of 1 day:Copysearch index=opp_events | timechart span=1d count by host
Timeframe setting: use page timeframe
When you set the page timeframe for the dashboard to "12 hours", the graph will be empty since there are no 24 hour results in the last 12 hours.
Solution:
Instead of using a fixed time span, use the page timeframe in your search query. You can use the mustache picker to insert page timeframe values.Example:
This search uses a dynamic span with page timeframe:CopySearch query: search index=opp_events | timechart span={{timeframe.isoDuration.startsWith("PT") ? '1h' : '1d'}} count by host
Timeframe setting: use page timeframe
The search now considers the currently set page timeframe. If the page timeframe is set to hours (like "last 12 hours"), it will search for results within a 1 hour span. If the page timeframe is set to anything else (like "last 6 months"), it will search for results within a 1 day span.
The loading time for the tile is very long because the current page timeframe is too long for the search query. In this case, you can use the page timeframe in the specific timeframe setting to put a cap on the page timeframe that can be used.
Using the page timeframe in the specific timeframe fieldPossible scenario:
You want to put a cap on the page timeframe that can be used, because if a search returns a lot of data, a long page timeframe like "last 6 months" would lead to long loading times.Solution:
Instead of setting the timeframe to use page timeframe, choose specific timeframe and create a limit for the page timeframe there. You can use the mustache picker to insert page timeframe values.Example:
timeframe setting: specific timeframeCopy{{timeframe.unixStart < Date.now()-(86400*7*1000) ? '-7d' : timeframe.isoStart}}
This specific timeframe limits the page timeframe to 7 days. If the current page timeframe is set to "last 7 days" or anything shorter than that, the search uses the page timeframe. If the current page timeframe is longer (like "last 6 months"), the search will disregard the page timeframe setting and use "last 7 days" instead.
Configure the settings for the visualization you chose:
Settings for ScalarsScalar
Font size Allows you to set the font size of the value in the tile.
Unit Allows you to add a unit to the value displayed in the Scalar tile. For example, if your value shows a time in milliseconds, you can enter "ms" or if your value shows pageviews, you can enter "pageviews".
Value formatter Allows you to format the value by using the mustache picker. For example, you can round the value up or down or convert it.
Conditional formatting:
You can display the scalar in different colors based on conditions you defined here. For example, you can display the scalar in green when the value is below 100 and in red when it is above 100.
Click on add to configure a condition.
Click on select color.... to open the color picker. Select the color for this condition.
Enter your condition in the field next to the color. You can use the
value
property and manipulate it with JavaScript String and Regex APIs. When you click on the mustache picker, you'll get some examples:Value is greater than something, less than something, etc.
For example:
{{value < 10}}
(The color you picked will be used if the value is less than 10)Value is present in the result
For example:
value.IndexOf('error') != -1
(The color you picked will be used if the string value "error" is present in the results)Value matches one of the regular expressions you defined
For example:
value.match(/healthy|good|up/)
(The color you picked will be used if the string values arehealthy
,good
, orup
)
Display:
Here you decide how the color is used:
Tile background Highlight the tile in the color you defined. Text foreground
Display the text in the color you defined. Link options
Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is
https://www.my-system/ticket-123
, where123
is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URLhttps://www.my-system/ticket-{{ticketID}}
.For scalars, you can only use the dynamic property
value
in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Examples for URLs with dynamic properties for popular APIsDynamic mustache properties and values you need to change according to your instance are highlighted in bold.
ServiceNow incidents:
https://<your-instance>.service-now.com/nav_to.do?uri=%2Fincident.do%3Fsys_id%3D{{sys_id}}
PagerDuty incidents:
{{incident.html_url}}
Azure DevOps projects:
https://dev.azure.com/<your-instance>/{{name}}
Azure DevOps builds:
https://dev.azure.com/<your-instance>/_build/results?buildId={{id}}
Zendesk tickets:
https://<your-instance>.zendesk.com/agent/tickets/{{id}}
Azure Application Insights
https://portal.azure.com/#@squaredup.net/resource/{{ResourceId}}
Settings for GridsGrid columns
Grid columns opens the grid designer, where you can show or hide columns, change the order of columns, edit column names or add custom columns.
Important note if you are using properties with hyphens for grid columnsProperty names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Grid options
Row link Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is
https://www.my-system/ticket-123
, where123
is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URLhttps://www.my-system/ticket-{{ticketID}}
.For scalars, you can only use the dynamic property
value
in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Examples for URLs with dynamic properties for popular APIsDynamic mustache properties and values you need to change according to your instance are highlighted in bold.
ServiceNow incidents:
https://<your-instance>.service-now.com/nav_to.do?uri=%2Fincident.do%3Fsys_id%3D{{sys_id}}
PagerDuty incidents:
{{incident.html_url}}
Azure DevOps projects:
https://dev.azure.com/<your-instance>/{{name}}
Azure DevOps builds:
https://dev.azure.com/<your-instance>/_build/results?buildId={{id}}
Zendesk tickets:
https://<your-instance>.zendesk.com/agent/tickets/{{id}}
Azure Application Insights
https://portal.azure.com/#@squaredup.net/resource/{{ResourceId}}
Important note if you are using properties with hyphens for row linksProperty names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Show column headers You can choose between showing or hiding the header for all columns.
Expand rows automatically Activate this checkbox if you want the row height to expand automatically based on the row content, for example if your grid uses increased text size, images, emojis etc.
Limit number of results displayed You can set a limit of the initial number of results displayed in the grid. If you have set a limit and there are more results to display, users will see a "show all" button below the grid.
Font size Use the slider to adjust the font size.
Tip for column sizing: You can change the column width directly in the grid by clicking on the divider lines between columns and dragging them to the width you want. You need to show column headers (by activating the show column headers check box) to be able to change the column width.
Resizing columns while in edit mode affects how the grid looks by default when users open the dashboard. Users can temporarily change the column sizes by dragging them, but those changes only last until they leave the page.Settings for Line GraphsData range
The Data Range option allows you to choose the range of data the graph will display. For line graphs, this means the data on the y-axis.
percentage Shows 0 to 100 fit to data Shows the data minimum to data maximum fit to data (from zero) Shows from 0 to the data maximum custom Allows you to specify the min and max custom fit Allows you to specify the min and max limits, so that data outside your settings will not be shown. If all the data falls within your specified ranges then the y-axis range will fit to the data rather than your caps.
Display
Height: Allows you to set the height of the tile with a slider.
Label
Allows you to change the label of the results.
Show legend:
Allows you to show or hide the legend of the graph.
Label:
auto Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
For more information see How to use Custom Labels
Important note if you are using external API properties with hyphens for custom labels (Web API tile, Elasticsearch tile, Splunk tile)Property names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Settings for SparklinesData Range
The Data Range option allows you to choose the range of data the graph will display. For line graphs, this means the data on the y-axis.
percentage Shows 0 to 100 fit to data Shows the data minimum to data maximum fit to data (from zero) Shows from 0 to the data maximum custom Allows you to specify the min and max custom fit Allows you to specify the min and max limits, so that data outside your settings will not be shown. If all the data falls within your specified ranges then the y-axis range will fit to the data rather than your caps.
Sort
Sort allows you to change the order of the results displayed. You can sort by value (ascending or descending) or label (alphabetically ascending or descending).
Label
Allows you to change the label of the results.
auto Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
For more information see How to use Custom Labels
Important note if you are using external API properties with hyphens for custom labels (Web API tile, Elasticsearch tile, Splunk tile)Property names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Settings for Bar GraphsData Range
The Data Range option allows you to choose the range of data the graph will display. For line graphs, this means the data on the y-axis.
percentage Shows 0 to 100 fit to data Shows the data minimum to data maximum fit to data (from zero) Shows from 0 to the data maximum custom Allows you to specify the min and max custom fit Allows you to specify the min and max limits, so that data outside your settings will not be shown. If all the data falls within your specified ranges then the y-axis range will fit to the data rather than your caps.
Sort
Sort allows you to change the order of the results displayed. You can sort by value (ascending or descending) or label (alphabetically ascending or descending).
Label
Allows you to change the label of the results.
auto Choose this option if you want to use the default label that has been created automatically.
custom
Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
For more information see How to use Custom Labels
Important note if you are using external API properties with hyphens for custom labels (Web API tile, Elasticsearch tile, Splunk tile)Property names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Color
Here you can enable or disable graph color matching.
Settings for DonutsSort
Sort allows you to change the order of the results displayed. You can sort by value (ascending or descending) or label (alphabetically ascending or descending).
Display
Size mode:
Default Displays the donut scaled to the height of the tile. Fill Enlarges the donut to use the whole width of the tile. If you chose the fill option and show the legend, you can define the size of the legend with a slider. Show legend:
Allows you to show or hide the legend of the graph.
Display mode:
Allows you to switch between displaying absolute values or percentages.
Color palette:
Here you can choose between different color palettes.
Note: If there are more items than colors, the colors repeat from the beginning.
Tip for displaying priorities or health states: If you want to display priorities or health states from a data source that doesn't enrich the data with information about priority or health (like the SQL tile or external APIs), use the custom color option and map the results to the correct color. This way, you can make sure that healthy or low priority results are displayed in green, unhealthy or high priority results are displayed in red, etc. If you use the color palettes Priorities, Health1, or Health2 the colors get assigned depending on how the results are sorted, which doesn't guarantee that the colors make sense for the priority or state they represent.
General 10 different colors without specific meaning Priorities 5 different colors representing 5 different priority states Health1 3 different colors representing 3 different health states
(red=unhealthy, green=healthy, gray=unknown)Health2 4 different colors representing 4 different health states
(red=critical, orange=unhealthy, green=healthy, gray=unknown)Pastel 10 different pastel colors without specific meaning Blue 4 different shades of blue from dark to light Orange 4 different shades of orange from dark to light Green 4 different shades of green from dark to light Pink 4 different shades of pink from dark to light Custom Here you can choose colors and map them to a value.
Click on Select color... to select a color and enter the name of the value that you want to display in that color. Make sure you spell the value's name correctly (case-sensitive), otherwise the color won't be assigned to it.
Note if your color mapping doesn't work (color stays gray)If you entered the value's name correctly (case-sensitive) and your mapping still doesn't work, check if the mapping value contains leading or trailing spaces. Try to enter the value with and without those spaces. Alternatively, you can remove spaces from the mustache expression and enter the values without spaces.
Example:
Mustache expression with leading and trailing spaces in the values:
{{#if Status == "1" }} Healthy {{elseif Status == "2" }} Down {{elseif Status == "3" }} Warning {{/if}}
Mustache expression without spaces in the values:
{{#if Status == "1" }}Healthy{{elseif Status == "2" }}Down{{elseif Status == "3" }}Warning{{/if}}
Settings for Status IconsFiltering behavior of Splunk
Splunk will only return results that match your search query. If data doesn't fit your search, Splunk throws those results away. This means a search like
eval state=case(count > 1000, "critical")
will only return results with a case count bigger than 1000. Any results with less than 1000 cases will be discarded and you'll only see "critical" blocks or icons in the tile.Link options
item link:
Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is
https://www.my-system/ticket-123
, where123
is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URLhttps://www.my-system/ticket-{{ticketID}}
.For scalars, you can only use the dynamic property
value
in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Examples for URLs with dynamic properties for popular APIsDynamic mustache properties and values you need to change according to your instance are highlighted in bold.
ServiceNow incidents:
https://<your-instance>.service-now.com/nav_to.do?uri=%2Fincident.do%3Fsys_id%3D{{sys_id}}
PagerDuty incidents:
{{incident.html_url}}
Azure DevOps projects:
https://dev.azure.com/<your-instance>/{{name}}
Azure DevOps builds:
https://dev.azure.com/<your-instance>/_build/results?buildId={{id}}
Zendesk tickets:
https://<your-instance>.zendesk.com/agent/tickets/{{id}}
Azure Application Insights
https://portal.azure.com/#@squaredup.net/resource/{{ResourceId}}
Important note if you are using properties with hyphens in the link optionsProperty names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Label
Allows you to change the label of the results.
name Choose this option if you want to use the default label that has been created automatically.
custom Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
For more information see How to use Custom Labels
Important note if you are using external API properties with hyphens for custom labels (Web API tile, Elasticsearch tile, Splunk tile)Property names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Sublabel
Allows you to add a sublabel of the results.
custom Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
For more information see How to use Custom Labels
Important note if you are using external API properties with hyphens for custom labels (Web API tile, Elasticsearch tile, Splunk tile)Property names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
none By default, no sublabels are shown. Sort
Sort allows you to change the order of the results displayed. You can also group them by their characteristics.
default By default, the sorting of the blocks or icons depends on the data source. This can be alphabetical sorting or the order in which data comes back from an API request.
sort by
Sort by label or tenant, ascending or descending
group by Group by label or tenant, ascending or descending
Image
Here you can choose one of the provided images or upload your own.
Tip: If you want a different selection of maps, you can download more at https://freevectormaps.com/Supported image formats: png, jpg, jpeg, gif, tif, tiff. svg, bmp
Tip: SVG images resize best since they are vector images.File size limit: 10MB
Image size: Images fill the size of the tile, which means you can resize the image by adjusting the tile's size. The size of the tile also depends on the screen the dashboard is being viewed on.
Icons
Here you can customize the icons on the image:
You can change the size of the icons with the slider
You can change the shape of the icons (square or circle)
You can drag the icons on the image into position
Display styles for Status icons
This setting is not done in a panel, you can change the display style even after you finished configuring the tile.
You can use toggle zoom button at the top right of the tile to change between the different ways Status icons can be displayed.
One long list Column list Icons only Settings for Status BlocksFiltering behavior of Splunk
Splunk will only return results that match your search query. If data doesn't fit your search, Splunk throws those results away. This means a search like
eval state=case(count > 1000, "critical")
will only return results with a case count bigger than 1000. Any results with less than 1000 cases will be discarded and you'll only see "critical" blocks or icons in the tile.Link options
item link:
Allows you to turn the graph item(s) into links. You can either enter plain text to create a fixed link (URL always stays the same) or use dynamic properties to create a dynamic link.
Dynamic links make use of dynamic properties which are inserted as part of the URL. This creates a template URL that will be resolved to an actual URL based on the items properties.
For example, if you want to link to tickets in your ticket system and the format of the URL for tickets in your system is
https://www.my-system/ticket-123
, where123
is the ticket ID, you can use the dynamic property that contains the ticket ID and enter the dynamic URLhttps://www.my-system/ticket-{{ticketID}}
.For scalars, you can only use the dynamic property
value
in dynamic links, which means the link changes when the value of the scalar changes. Since a scalar is just one item, it would also make sense to use a fixed link, for example the link to the website of which you are displaying the response time.For status icon or bars and the rows of a grid, you usually want to use a dynamic link since you get multiple items or rows that represent different things. You can use any of the dynamic properties the mustache picker offers you.
Examples for URLs with dynamic properties for popular APIsDynamic mustache properties and values you need to change according to your instance are highlighted in bold.
ServiceNow incidents:
https://<your-instance>.service-now.com/nav_to.do?uri=%2Fincident.do%3Fsys_id%3D{{sys_id}}
PagerDuty incidents:
{{incident.html_url}}
Azure DevOps projects:
https://dev.azure.com/<your-instance>/{{name}}
Azure DevOps builds:
https://dev.azure.com/<your-instance>/_build/results?buildId={{id}}
Zendesk tickets:
https://<your-instance>.zendesk.com/agent/tickets/{{id}}
Azure Application Insights
https://portal.azure.com/#@squaredup.net/resource/{{ResourceId}}
Important note if you are using properties with hyphens in the link optionsProperty names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Label
Allows you to change the label of the results.
name Choose this option if you want to use the default label that has been created automatically.
custom Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
For more information see How to use Custom Labels
Important note if you are using external API properties with hyphens for custom labels (Web API tile, Elasticsearch tile, Splunk tile)Property names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
Sublabel
Allows you to add a sublabel of the results.
custom Here you can change the label to a custom label. You can use static text and dynamic properties. Use the mustache picker to select dynamic properties from the response data to use them as labels.
For more information see How to use Custom Labels
Important note if you are using external API properties with hyphens for custom labels (Web API tile, Elasticsearch tile, Splunk tile)Property names that contain hyphens (for example
properties.name-with-hyphens
) can't be processed due to a JavaScript limitation. If you want to use a property that contains a hyphen, you have two options:If you have access to the data source and can change the name of the property, change the name of the property to a name without hyphens.
For example, if your Elasticsearch query uses a property (an aggregation, a grouping or any other property you want to use) with a name that contains a hyphen, you can either access your Elasticsearch instance and change the name there or you can overwrite the name in the query dsl field.
If you can't change the name of the property, you need to enter the property name in the following format:
Original property name:
{{properties.name-with-hyphens.value}}
New format:
{{properties['name-with-hyphens'].value}}
none By default, no sublabels are shown. Sort
Sort allows you to change the order of the results displayed. You can also group them by their characteristics.
default By default, the sorting of the blocks or icons depends on the data source. This can be alphabetical sorting or the order in which data comes back from an API request.
sort by
Sort by label or tenant, ascending or descending
group by Group by label or tenant, ascending or descending
Blocks
Here you can set the number of columns for the blocks, their height and the font size within the blocks.
Click done to save the tile.
The tile now shows data according to your search.
Tips for using the page timeframe in Splunk tiles
The page timeframe is the timeframe setting a dashboard
Using page timeframe means your search query will adapt to the dynamic page timeframe.
While being able to change the timeframe dynamically brings a lot of flexibility for showing data over different timeframes in the same tile, it can also mean that some page timeframe settings are not ideal for your intended search:
The tile shows no data because the current page timeframe is too short for the fixed time span in your search query. In this case, you can use the page timeframe instead of fixed values in the search query
Using the page timeframe in the search queryPossible scenario:
You want to avoid that it is possible to use a page timeframe shorter than the time span in the search query, because in that case the graph would show no results.Example:
This search uses a fixed time span of 1 day:Copysearch index=opp_events | timechart span=1d count by host
Timeframe setting: use page timeframe
When you set the page timeframe for the dashboard to "12 hours", the graph will be empty since there are no 24 hour results in the last 12 hours.
Solution:
Instead of using a fixed time span, use the page timeframe in your search query. You can use the mustache picker to insert page timeframe values.Example:
This search uses a dynamic span with page timeframe:CopySearch query: search index=opp_events | timechart span={{timeframe.isoDuration.startsWith("PT") ? '1h' : '1d'}} count by host
Timeframe setting: use page timeframe
The search now considers the currently set page timeframe. If the page timeframe is set to hours (like "last 12 hours"), it will search for results within a 1 hour span. If the page timeframe is set to anything else (like "last 6 months"), it will search for results within a 1 day span.
The loading time for the tile is very long because the current page timeframe is too long for the search query. In this case, you can use the page timeframe in the specific timeframe setting to put a cap on the page timeframe that can be used.
Using the page timeframe in the specific timeframe fieldPossible scenario:
You want to put a cap on the page timeframe that can be used, because if a search returns a lot of data, a long page timeframe like "last 6 months" would lead to long loading times.Solution:
Instead of setting the timeframe to use page timeframe, choose specific timeframe and create a limit for the page timeframe there. You can use the mustache picker to insert page timeframe values.Example:
timeframe setting: specific timeframeCopy{{timeframe.unixStart < Date.now()-(86400*7*1000) ? '-7d' : timeframe.isoStart}}
This specific timeframe limits the page timeframe to 7 days. If the current page timeframe is set to "last 7 days" or anything shorter than that, the search uses the page timeframe. If the current page timeframe is longer (like "last 6 months"), the search will disregard the page timeframe setting and use "last 7 days" instead.
Using the scope in the timeframe setting
If you defined a scope, you can use the mustache picker to insert values that refer only to the defined scope.
Using the scope with fixed values
You can use fixed values for creating a specific timeframe that considers the scope.
Example:
You want to create a timeframe that considers how many items are in the scope. If there are less than 100 items, you want the timeframe to be 12 hours, if there are more than 100 items, you want the timeframe to be 1 day.
timeframe setting: specific timeframe
{{scope.length > 100 ? '-12h' : '-1d'}}
Using the scope with the page timeframe
You can use the dynamic page timeframe for creating a specific timeframe that considers the scope.
Example:
You want to create a timeframe that puts a cap on the page timeframe that can be used depending on the size of the scope. If the scope has more 100 items in it, you want the longest possible page timeframe setting to be 1 day (this means if the page timeframe is set to "last 12 hours", the page timeframe will be used, but if it is set to "last 6 months", this will be ignored and 1 day will be used). If the scope has less than 100 items in it, you want the timeframe to adjust to any page timeframe.
timeframe setting: specific timeframe
{{ timeframe.unixStart < Date.now()-(86400*1000) && scope.length > 100 ? '-1d' : timeframe.isoStart }}