-
Hello, and welcome to the Advanced Bulk
-
Dashboard and Showcase with me, Dan Gray.
-
I'm a qualified Splunk architect
-
with some of the associates.
-
I've been working here for a year now, and prior to
-
that, I was in the role area for eight years,
-
where I worked as a computer network analyst.
-
So who are Somerford?
-
Specialists in everything Splunk, and
-
we are an elite partner for licensed and professional services.
-
We also offer workshops and
-
webinars such as this. And if you're a
-
customer of ours, you have access to the
-
dedicated technical support desk.
-
So what's the agenda of this webinar?
-
We're going to learn to make smart
-
and interactive dashboards of real data--
-
reporting that will help us
-
graphically illustrate our IT operations
-
data using complex graphs and charts. But
-
really, what we're going to do is we're
-
going to make simple, effective
-
dashboards that communicate
-
what you want to communicate across to the end user.
-
We're going to try and take
-
dashboards from this--which is an
-
example of a bad dashboard that I've made.
-
It's very cluttered, not very
-
colorful, and it's really unclear what's
-
going on at first look. There's some
-
information in there. We can see that
-
stuff's happening--actions, products are
-
being viewed and removed from carts--
-
and stuff's happening. Really ineffective graphs, no axes, no labels.
-
Tables are not formatted correctly--
-
really not a good example
-
of effective communication
-
of the data that sits behind this dashboard.
-
I'm going to try and take it from
-
that to something a little bit more like this.
-
This is using the same data;
-
however, hopefully it's a little bit more
-
illustrative of what's going on. We've
-
got revenue, we've got graphs, we've got
-
tables, single-value figures,
-
and a bit of color in there that
-
makes it a little bit more digestible.
-
But before we are able to
-
make a dashboard, we have to get started
-
with Splunk. If you've never used Splunk
-
before, it's really straightforward to
-
get going. Head to the website and make
-
an account, download the latest version
-
of Splunk Enterprise, install it, and then add
-
data--and away you go. When I say add
-
data, anything that's human-readable, Splunk
-
can ingest and make sense of--whether
-
that's the logs from your own PC that
-
you're logging in, or you can get datasets
-
online, such as the New York taxi
-
companies--they publish information
-
about taxi journeys. Even online, the
-
computer game--you can get data dumps
-
from activities that have happened in
-
the game to help you play around with
-
Splunk if you've not got access to a
-
large computer network or another
-
data source. There are resources out
-
there online where you can take data and
-
get it into Splunk, and then start
-
learning and playing around with it.
-
Once you've installed Splunk, this is
-
what you'll be faced with. This is the
-
homepage. Looks a little bit different in
-
version 9, but all the same features
-
are there. Product tours, really
-
straightforward navigation through the
-
queries of whichever product you've downloaded.
-
Adding data--the most
-
important button. This is where you really start
-
getting anything out of Splunk--by
-
adding different data sources. As I said,
-
it has to be human-readable, but you
-
can take network information, logs, events, and metrics.
-
Splunk apps--that will take
-
you to Splunkbase, the website, the
-
repository of apps. And in Splunk,
-
apps mean it's a bundle of configuration files.
-
There are apps for numerous different products.
-
If you want to ingest a data source,
-
the first place to look is on Splunkbase
-
and see if someone's done the hard work for you already.
-
And then finally, Splunk Docs
-
is the documentation for Splunk--
-
really well maintained,
-
organized, and makes sense.
-
If there's something that you'd like
-
to do in Splunk, it's very likely that
-
you'll be able to find out how to do it
-
by looking through this documentation.
-
This webinar's about
-
dashboards--so how do we make your
-
dashboards? Click on the Dashboard
-
button primarily, and then the next button
-
you will click is Create Dashboard.
-
You will be faced with this pop-up here.
-
This is where you set the
-
premises for the dashboard you're making.
-
Things that you need to
-
fill in are the dashboard title,
-
the permissions, whether you're using
-
Classic Dashboards or Dashboard Studio.
-
In this webinar, we'll be using Dashboard Studio.
-
Classic Dashboards and Dashboard
-
Studio have different functionalities.
-
Dashboard Studio is the
-
newer version--the newer offering by Splunk--
-
and they're working to catch up with
-
some of the functionality from Classic
-
Dashboards. Dashboard Studio also has
-
extra functionality that you can't get
-
in Classic Dashboards. As I said, this
-
webinar will be using Dashboard Studio,
-
so we'll see some of the functions and
-
settings and stuff that we can use
-
that are exclusive to Dashboard Studio.
-
And finally, absolute or grid layout mode.
-
What that means will
-
be really much more obvious once we get
-
into editing the dashboard. But as it
-
says there, if you choose absolute layout,
-
you get full control of where you want
-
to place your panels, whereas grid snaps to location.
-
But before you do that--start with a plan.
-
Before making any dashboard, you
-
want to go to your end user or your
-
customer--or if it's working on your own
-
behalf--have a good think about what you
-
want this dashboard to show. This is a
-
really quick one that I knocked up in
-
Microsoft Paint. However, this is the
-
sort of thing that I'd like to receive
-
from a customer. At this point, I'm not
-
particularly interested in what sort of
-
Splunk queries they want to run in the
-
background. What I want to know is what
-
they want their dashboard to show--and
-
leave it up to me to figure out how to make that work.
-
So on the left, we have a hospital dashboard--
-
high-level overview, info
-
about number of patients, records
-
prior, and detailed view--and a couple of
-
notes on the bottom: make it look sleek,
-
include color coding. On the right, a
-
car factory example. So if we keep
-
those two plans in our mind as we go
-
through, we're gonna see those
-
materialize to life. As I said, at this
-
point, I don't want to know about the
-
data that powers these dashboards, nor
-
the Splunk searches that we'll need to
-
run to get it working. I really want to
-
know what the customer wants out of their dashboard.
-
Once you've got that,
-
perhaps counterintuitively, the first thing that
-
I suggest you do when making a
-
dashboard is add a background.
-
The background can really
-
provide the skeleton of your dashboard,
-
and it can really add context to the data.
-
So here are a couple of
-
dashboards that we have--prepopulated,
-
perfectly fine dashboards--not too busy,
-
quite colorful, well-labeled, and make
-
sense. But they could be taken to the
-
next level by adding a background--and
-
we'll see how just now.
-
So here we have the left
-
dashboard without the background.
-
As we transition to the
-
background, as we had in our Planets
-
Hospital-themed dashboard, we can
-
see that these lines that are connected
-
up to the data--these are part of the
-
background. So the colored lines and the
-
boxes are all part of the background
-
image, and we can really see how that
-
adds context to the data that we're presenting.
-
Next, we have
-
a car factory. So instead of
-
the bare panels, we can arrange
-
those panels along the background
-
in a way that makes sense. And at a
-
glance, we can see that this is to do
-
with production lines and where
-
the data sits on that
-
production line--so where the problems may occur.
-
So, how do we add a background?
-
Here we have our view
-
after we've created a new dashboard.
-
We'll be looking over here--create a
-
background image. You can drag and
-
drop an image file, and it will load
-
and be populated into your
-
dashboard, or else you can add a URL.
-
Out of the box, there are a
-
number of configured whitelisted
-
URLs that Splunk will use to
-
populate backgrounds, and those are all Splunk-related.
-
If you have a website--as we do at
-
Somerford and Associates--you'll have to
-
whitelist that website to be able to get
-
your image populated in your dashboards.
-
So here I've used the URL of one of
-
the Splunk ones, and here's a good
-
point to bring in some context to
-
this webinar. We'll be using data that's
-
themed around a company called Buttercup
-
Games. This is the Buttercup Games
-
background. Buttercup Games sell all sorts
-
of different things--nerdy apparel,
-
games, and things associated with those.
-
And we'll see the theme of that as we
-
go through the dashboard.
-
So we've added the background, and we
-
can see now the skeleton of what we
-
want our dashboard to look like. It
-
will help when we're arranging our
-
panels--where we want to put them.
-
So how do we add our panels? Well,
-
the first thing to think about is the
-
best way to visualize the data that you
-
are trying to present--whether that's
-
going to be a pie chart, a table, or a
-
bar chart. The location of panels and the
-
orientation of panels--those go hand
-
in hand. You want to try and tell a
-
story--a logical story--in your
-
dashboard. Try to keep related things
-
nearby and make it simple for the user
-
to follow. Very importantly, don't overload with information.
-
So how do we add a panel?
-
There are a few different ways. You can do
-
it directly from the dashboard, but in
-
this case, we are doing it from a search
-
we've run. Search is not
-
the topic of this webinar, so we
-
won't dig too much into the search that
-
we have run. Suffice to say that I've run
-
a search here in Splunk
-
and ended up with a table. What you
-
need to do is click “Save As”
-
over here and save it to an existing dashboard.
-
Then it's as simple as finding your
-
dashboard, making sure it's
-
ticked, and giving it a panel title
-
(that's optional). It's definitely best
-
practice to give a panel title that
-
really explains what that panel is going to do.
-
Then press “Save to Dashboard”--and
-
there we are.
-
We've added our first panel to our dashboard.
-
It's fine. We can see that
-
we've got products, we've got purchases,
-
and the revenue that we're generating off those products.
-
But we might be able to
-
improve it by using a few formatting options.
-
There are
-
loads and loads of formatting options
-
when you come in to make a panel--and
-
dashboards themselves, for that matter.
-
Some of them are on the screen now. And
-
when we go to the live portion
-
of the webinar, where I go into some
-
different dashboards, we'll have a look
-
at some of the formatting options there.
-
But for this case,
-
here's the same table after using some formatting options.
-
I've used color for
-
the purchases to illustrate whether
-
those are good numbers or bad numbers,
-
and then added a couple of pound signs
-
there as well just to show that that's money.
-
Next: adding more panels. So the
-
different types of panels that you can minute.
-
add--the different format options.
-
Choose your visualizations to
-
suit the data. Panel titles--don't forget
-
those. Chart type and the time range
-
picker--that will show you how far back
-
in time you want your dashboard to look.
-
And drilldowns is a more
-
advanced formatting option, where
-
you can set the behavior if you click on
-
each panel--what that behavior will do.
-
We'll talk about that more in a minute.
-
So I've just chucked in a new panel--
-
this time a pie chart--
-
continuing to add panels to our dashboard.
-
A few different visualization types
-
now: we've got tables, we've got pie
-
charts, and we've got a stacked pie chart.
-
And finally, down there on the bottom right, a single value.
-
Don't forget to save your dashboard
-
as you're going through. As we can see
-
there: "Success. Dashboard saved." Make
-
sure you save your dashboard as you go
-
along, because if you navigate away from
-
it, you might lose your progress.
-
Here, we've added an image of
-
the Somerford logo because I wanted to
-
illustrate the drilldown mechanic
-
that you can add to a dashboard.
-
So how do we do that?
-
Click on the image in this case--or
-
the panel or the object within the
-
dashboard. And on the right-hand side,
-
you'll get an options menu to
-
configure your object. In our case,
-
we're going to add a drilldown. So there
-
we go--drilldown. To add a drilldown,
-
you've got on-click options.
-
So there's stuff such as "link to
-
another
-
dashboard," "link to a search," and you
-
can decide whether you want that in a
-
new tab or the tab that you're already in.
-
In our case, we're going to link to
-
a custom URL. So I've linked it there to
-
the Somerford website. When the
-
end user is using this dashboard, if they
-
click that image, they will navigate to the
-
Somerford & Associates website.
-
I'll move on over now to the
-
live portion of the demo, in which we're
-
going to have a look at three different
-
demo environments that we've spun up in
-
Splunk that are populated with fake, fake data.
-
But there's a number of
-
dashboards that we could have a look at,
-
and we'll see some of the good and
-
bad points of those dashboards.
-
So the first one I've clicked into here--
-
Financial Crime--is the theme of this dashboard.
-
This is what I would say is the
-
executive summary page of this
-
environment--so the control room, as it's
-
called. Here we have a number of panels
-
that are well labeled, so we
-
can kind of tell what's going on at a
-
glance. We can see different accounts
-
there that are important and a number of different visualizations.
-
In these environments
-
that Splunk has spun up as demos, sometimes
-
they use a visualization that
-
might not be the most applicable to
-
the data--mainly because they want to
-
just show off some of the different visualizations that are possible.
-
But all in all, not a bad dashboard.
-
I'd say at the top here, we
-
could probably use a bit of color. "Number
-
of potential account takeovers: 21." Is
-
that good? Is that bad? Not too sure. And
-
again, they could have had trend lines.
-
Are we going in the right direction
-
or a bad direction? For this one, I
-
wanted to show--pretty sure they've added
-
So that's going to
-
open in a new tab. It'll bring us to the
-
account takeover dashboard,
-
enabling the analyst who will be
-
using this to dive deeper into the
-
account takeovers happening in this
-
environment. Again, lots of high-level
-
stats across the top. Are they good? Are
-
they bad? It's not clear whether
-
858 is a good number or a bad
-
number, so they could have a bit of color
-
there, and again, a trend line.
-
Here's one that we haven't
-
touched on yet: mapping. You can add
-
maps to Splunk—different types of maps.
-
Choropleth maps is this one, and you can see that
-
there it's connections from risky or
-
unusual countries. So in your business, if
-
you're expecting everyone to log in from
-
the UK or perhaps America, and you're
-
getting a bunch of login attempts
-
from China, that's probably suspicious--
-
maybe something to have a look at.
-
As we scroll down, it's quite a
-
large dashboard, but this, I would expect,
-
would be more for the analyst who's
-
actually working on it rather than
-
someone looking for a high-level overview.
-
We'll move on to
-
the transaction fraud page.
-
Here we are. Yeah. So similar
-
sort of thing: high-level stats at the
-
top, followed by a number of different visualizations.
-
Chart here with a trend line on--
-
good use of different colors, I suppose.
-
The one I really wanted to show
-
off on this one was the risk model clustering.
-
Takes a little while to load, and
-
we'll see why once it actually loads.
-
This, I think in my opinion, is trying to be too clever.
-
Looks really cool. We have a 3D model of a risk
-
model that's moving in 3D space.
-
So there's a third axis to this graph.
-
And as I said, it
-
looks super cool--it's different colors
-
and different things--but it's not clear
-
to me at all what this graph is trying to convey.
-
So I guess the point I'm
-
trying to make there is: make sure that
-
your end user understands. Don't go for
-
cool points. Make sure that the end user
-
understands what you're trying to get
-
across. So jumping out of the financial
-
part now into a separate environment--
-
back to Buttercup Games. This is a
-
really good example of a dashboard,
-
actually. I'm very impressed with this one.
-
The reason I set this environment
-
up is because it had a really good
-
dashboard and a really bad dashboard,
-
but they've removed the bad dashboard
-
and they've left the good dashboard. So
-
we'll give them some points and tips,
-
and we'll talk about it a little bit.
-
It's not too busy. This is the
-
entirety of the dashboard--really good. So
-
we can see customer locations. It's
-
really obvious from the panel title
-
and the map what's going
-
on here. And then again, really
-
straightforward use of
-
color--the top country--and as you
-
click through, it goes from yellow
-
through to red. And the best thing about
-
this dashboard here is this panel here.
-
So they've used this panel as
-
a way to pass a token through to the
-
graphs below. So it's not really obvious
-
because the numbers don't jump around
-
too much, but as you click on each of
-
these operating systems, the graphs below
-
change to reflect only that operating system.
-
So we can see here Windows customers have this level of
-
spending versus Linux customers
-
who have that level of spending. It's
-
a really cool advanced feature of the
-
dashboard--using the panel to pass a
-
token through, pass information down to
-
other panels in the dashboard, and act
-
as a very fancy filter. So resetting
-
there back to all.
-
The other dashboard in this
-
environment is the Site Status dashboard.
-
Again, really impressed with this one.
-
Green and red--
-
surely we know what those signify.
-
Green is good and red is bad.
-
Again, not too busy. This is the entirety
-
of the dashboard here. So we can see
-
the site status--well, we can see the
-
site status at a really quick glance.
-
Successful versus unsuccessful, and then
-
we can see the types of errors here that
-
are being reported. And we can see
-
again the use of color--the very
-
deep red indicates that it's more severe.
-
So again, very effective dashboard here.
-
Simple use of color, simple
-
number of panels. Even I, as a non-web
-
developer, can see what's going on
-
here and what's good and what's bad.
-
The final dashboard that we're
-
going to have a look at--or the final
-
environment that we're going to have a
-
look at--is the InfoSec application and
-
a series of dashboards that are built in
-
there. The InfoSec app is a free app that
-
you can download from Splunkbase. As
-
I said before, apps are a bundle of
-
configuration files that come
-
pre-packaged along with a bunch of
-
dashboards and searches that power
-
those dashboards. You can download
-
this from Splunkbase for free. All you
-
need to provide is the data to power
-
these dashboards, and it will work just as
-
as we're going to have a look at.
-
The first one we're going to take a
-
look at is the Executive View. Here we
-
can see a very high-level view of
-
what's going on in this environment.
-
The story of this environment is that
-
this network has been attacked and has malware
-
on it. We can see here from across the
-
top--red and blue--attacks being
-
stopped, malware that has been
-
blocked in the last 24 hours, and the
-
number of devices protected on the right.
-
This dashboard is not very
-
interactive, and I think that's probably
-
a designer's deliberate choice
-
because it's designed for the Executive
-
View--exactly as it says.
-
And you don't want to overcomplicate that. You
-
want to keep it very high level, make it
-
very clear what's going on so that
-
the decision-maker can make the decision
-
they need to make.
-
Next, we'll take a look at Security Posture.
-
A little bit more detailed--
-
lots of different visualizations in this one.
-
Again, the use of color--they've used
-
red and blue here.
-
These are showing up as red because
-
it's considered bad. If the number
-
was different,
-
it wouldn't be red, and you can configure
-
those thresholds however you'd like.
-
Like I said, number of different
-
visualizations--bar charts and graphs.
-
We don't have so much information
-
in this because it's a demo environment--
-
it's just been spun up.
-
Going through to the Network
-
Traffic dashboard, this is a good one to
-
look at. This is the one that really
-
tells the story of this environment.
-
Number of different tables
-
and different visualizations with
-
effective color formatting.
-
This is the panel of interest I
-
wanted to show for this demo. Using these
-
boxes here, we can filter to different
-
things, and there are numerous
-
different ways to do that. We can type
-
in there. Currently, it's populated with
-
an asterisk, which is the wildcard
-
character for Splunk, which means everything.
-
Or we can click down in
-
this table here, click on BitTorrent, and
-
that will populate the filter up here at
-
the top. And then we'll see all of the
-
hosts and information specific to the BitTorrent app.
-
We can see here--not important for
-
this demo--but what we can see is that
-
there's a number of hosts that have been
-
using BitTorrent and accidentally
-
downloaded some malware.
-
But from the dashboarding
-
point of view, we can see the different
-
sorts of panels and formatting options
-
and the different ways to add different
-
filters, and how to populate those
-
filters by using the drilldown actions.
-
The next one I wanted to take a look
-
at is under the Advanced Threats tab
-
and Network Anomalies.
-
This panel down at the
-
bottom is one of my favorite panels that
-
I get to show off, because it
-
shows--as it loads…
-
loads access anomalies rather because it
-
shows uh one of the real powers of
-
Splunk it's taking information from
-
disperate data sources and giving you
-
conclusions that you might not have been
-
able to find if you were um operating in
-
data signers so here we have
-
geographically improbable
-
access um we can see here that the user
-
eford was in the city of gizer in Egypt
-
and then a very short time later he was
-
in Japan um just for a bit of
-
information a bit of fun you can see
-
there the speed at which he may have had
-
to travel to to make that condition true
-
he'd have to have moved around the world
-
at uh 1,281 miles hour and
-
Splunk is flagging up that it's very
-
improbable that this one guy is in these
-
two places at such close um period of
-
time and what I said about bringing data
-
together and not keeping it in silos so
-
in one um data repository you have the
-
fact that efield has logged in uh and in
-
another data C you have geographic
-
information and you stick those two
-
together and you can see here that this
-
guy is probably not withen around the
-
world like Superman and you may have uh
-
the indications of a compromise of this
-
account um that's all I wanted to show
-
in in the infos SEC application so we'll
-
go back to the PowerPoint
-
um so last thing I wanted to speak about
-
is the upcoming events um sum food are
-
always running workshops and events if
-
you want to find out what's coming up uh
-
navigate over to the website and have a
-
look um suit associates.com SL events
-
and we can see here the specific Splunk
-
events but we do do um events and other
-
Technologies too uh check out all the
-
upcoming webinars and workshops that
-
we're
-
hosting and if you want to join uh just
-
click on the register button and
-
sometimes you even get a little uh
-
goodies if you
-
join if you have any questions please
-
feel free to uh email info suf
-
associates.com that's questions about
-
Splunk or dashboarding specifically but
-
also any wider questions about sumed and
-
spun in
-
general thank you for attending this
-
webinar uh it's been a pleasure to speak
-
to you about dashboarding hopefully you
-
learn something and uh for now
-
goodbye