O'Reilly logo
live online training icon Live Online training

Advanced Visualizations in Splunk

Create and customize impactful visualizations & dashboards in Splunk

Karun Subramanian

Splunk is the most popular operational data intelligence platform. Organizations use Splunk to collect, parse and index peta byte scale machine data. Splunk is used in IT operations, business analytics and SIEM (security information and events management). It provides a versatile query language (Search Processing Language or SPL) and rich set of visualizations that help users make sense of their machine data in numerous ways.

While Splunk provides numerous pre-built visualizations, customizing them to suit your needs can be challenging. Further, in order to add interactivity and dynamic drill down features in Splunk dashboards, one must understand Splunk’s simple xml code. In this course, I’ll walk you through the various customization options and explain how to write Splunk simple xml code. I’ll provide plenty of examples through demo to reinforce the concepts you will learn.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • Splunk’s visualization customization options
  • Splunk’s simple xml syntax and use
  • Factors affecting dashboard’s performance
  • Splunk tokens and how to make use of them to add interactivity

And you’ll be able to:

  • Customize Splunk visualizations. For example, override default color schema of a chart.
  • Create Forms to get user input using drop down and check boxes.
  • Enable dynamic drill-down in your dashboards.
  • Use Event handlers in dashboards. For example, make a panel appear/disappear
  • Significantly reduce the dashboard load time

This training course is for you because...

  • You are a DevOps engineer trying to implement monitoring and automation
  • You are a Security professional trying to use Splunk for threat hunting and incident response
  • You are a business user trying to create reports and dashboards
  • You are a software developer/architect trying to make use of Splunk for log aggregation and reporting.

Prerequisites

  • Basic knowledge of Splunk and SPL
  • Basic understanding of the data you are trying to analyze

Course Set-up

  • You need to have at least user-level access to your organizations Splunk environment. (Power user access recommended)
  • If you do not have access to a Splunk environment, obtain a free Splunk Cloud trial (valid for 15 days from the date of registration): https://www.splunk.com/en_us/campaigns/splunk-cloud-trial.html, or install Splunk Enterprise trial in your PC/Mac

Recommended Preparation

  • Beginning Splunk (Live Online Training, search the O’Reilly Learning Platform for an upcoming date)
  • Creating Knowledge Objects in Splunk (Live Online Training, search the O’Reilly Learning Platform for an upcoming date)

About your instructor

  • Karun is an IT operations expert focusing on modernizing monitoring and observability. With over 20 years of experience, Karun has helped numerous companies transform their IT operations eco system. His area of expertise includes Log aggregation, Time series databases, Cloud Infrastructure and Machine data analytics. He is a Splunk Certified Architect.

Schedule

The timeframes are only estimates and may vary according to how the class is progressing

Segment 1: Splunk SPL primer (25 minutes)

  • Splunk platform basics
  • Anatomy of a search
  • Using fields
  • Transforming search commands
  • Q&A

Segment 2: Creating Dashboards (35 minutes)

  • Creating a basic dashboard
  • Adding Panels
  • Introduction to input controls
  • Editing simple XML
  • Q&A

Break – 10 minutes

Segment 3: Forms and Input Controls (50 minutes)

  • Introducing Drop down menu – 15 minutes
  • Using dynamic options in drop down menu – 15 minutes
  • Text boxes, Check boxes and multiselect – 15 minutes
  • Q&A

Break – 10 minutes

Segment 4: Advanced customization (55 minutes)

  • Customize chart colors
  • Configure drilldown
  • Configure event handlers
  • Hide or Display panels
  • Q&A

Break – 10 minutes

Segment 5: Improving Performance of Dashboards (30 minutes)

  • Using Base Searches
  • Using scheduled reports
  • Accelerate reports
  • Accelerate data models
  • Q&A

Course wrap-up and next steps