How to Create Advanced Splunk Dashboards, Panels and Reports — Creating Management-Ready Dashboards

Rollback to version 2

0:02 - 0:04

Hello, and welcome to the Advanced Bulk
0:04 - 0:07

Dashboard and Showcase with me, Dan Gray.
0:08 - 0:12

I'm a qualified Splunk architect
0:12 - 0:13

with some of the associates.
0:13 - 0:16

I've been working here for a year now, and prior to
0:16 - 0:17

that, I was in the role area for eight years,
0:17 - 0:21

where I worked as a computer network analyst.
0:21 - 0:24

So who are Somerford?
0:24 - 0:25

Specialists in everything Splunk, and
0:25 - 0:29

we are an elite partner for licensed and professional services.
0:29 - 0:31

We also offer workshops and
0:31 - 0:34

webinars such as this. And if you're a
0:34 - 0:36

customer of ours, you have access to the
0:36 - 0:39

dedicated technical support desk.
0:39 - 0:42

So what's the agenda of this webinar?
0:42 - 0:44

We're going to learn to make smart
0:44 - 0:46

and interactive dashboards of real data--
0:46 - 0:49

reporting that will help us
0:49 - 0:51

graphically illustrate our IT operations
0:51 - 0:55

data using complex graphs and charts. But
0:55 - 0:57

really, what we're going to do is we're
0:57 - 0:59

going to make simple, effective
0:59 - 1:01

dashboards that communicate
1:01 - 1:04

what you want to communicate across to the end user.
1:05 - 1:07

We're going to try and take
1:07 - 1:10

dashboards from this--which is an
1:10 - 1:12

example of a bad dashboard that I've made.
1:12 - 1:14

It's very cluttered, not very
1:14 - 1:16

colorful, and it's really unclear what's
1:16 - 1:20

going on at first look. There's some
1:20 - 1:21

information in there. We can see that
1:21 - 1:24

stuff's happening--actions, products are
1:24 - 1:27

being viewed and removed from carts--
1:27 - 1:33

and stuff's happening. Really ineffective graphs, no axes, no labels.
1:33 - 1:36

Tables are not formatted correctly--
1:36 - 1:39

really not a good example
1:39 - 1:41

of effective communication
1:41 - 1:44

of the data that sits behind this dashboard.
1:44 - 1:46

I'm going to try and take it from
1:46 - 1:48

that to something a little bit more like this.
1:48 - 1:51

This is using the same data;
1:51 - 1:53

however, hopefully it's a little bit more
1:53 - 1:56

illustrative of what's going on. We've
1:56 - 1:58

got revenue, we've got graphs, we've got
1:58 - 2:01

tables, single-value figures,
2:01 - 2:03

and a bit of color in there that
2:03 - 2:05

makes it a little bit more digestible.
2:07 - 2:09

But before we are able to
2:09 - 2:11

make a dashboard, we have to get started
2:11 - 2:12

with Splunk. If you've never used Splunk
2:12 - 2:14

before, it's really straightforward to
2:14 - 2:16

get going. Head to the website and make
2:16 - 2:18

an account, download the latest version
2:18 - 2:21

of Splunk Enterprise, install it, and then add
2:21 - 2:24

data--and away you go. When I say add
2:24 - 2:27

data, anything that's human-readable, Splunk
2:27 - 2:30

can ingest and make sense of--whether
2:30 - 2:32

that's the logs from your own PC that
2:32 - 2:35

you're logging in, or you can get datasets
2:35 - 2:38

online, such as the New York taxi
2:38 - 2:40

companies--they publish information
2:40 - 2:43

about taxi journeys. Even online, the
2:43 - 2:47

computer game--you can get data dumps
2:47 - 2:49

from activities that have happened in
2:49 - 2:52

the game to help you play around with
2:52 - 2:54

Splunk if you've not got access to a
2:54 - 2:57

large computer network or another
2:57 - 2:59

data source. There are resources out
2:59 - 3:02

there online where you can take data and
3:02 - 3:04

get it into Splunk, and then start
3:04 - 3:07

learning and playing around with it.
3:07 - 3:09

Once you've installed Splunk, this is
3:09 - 3:12

what you'll be faced with. This is the
3:12 - 3:15

homepage. Looks a little bit different in
3:15 - 3:18

version 9, but all the same features
3:18 - 3:20

are there. Product tours, really
3:20 - 3:22

straightforward navigation through the
3:22 - 3:25

queries of whichever product you've downloaded.
3:25 - 3:26

Adding data--the most
3:26 - 3:30

important button. This is where you really start
3:30 - 3:32

getting anything out of Splunk--by
3:32 - 3:35

adding different data sources. As I said,
3:35 - 3:37

it has to be human-readable, but you
3:37 - 3:41

can take network information, logs, events, and metrics.
3:41 - 3:45

Splunk apps--that will take
3:45 - 3:47

you to Splunkbase, the website, the
3:47 - 3:51

repository of apps. And in Splunk,
3:51 - 3:54

apps mean it's a bundle of configuration files.
3:56 - 3:59

There are apps for numerous different products.
4:01 - 4:03

If you want to ingest a data source,
4:03 - 4:05

the first place to look is on Splunkbase
4:05 - 4:07

and see if someone's done the hard work for you already.
4:07 - 4:10

And then finally, Splunk Docs
4:10 - 4:13

is the documentation for Splunk--
4:13 - 4:15

really well maintained,
4:15 - 4:18

organized, and makes sense.
4:18 - 4:20

If there's something that you'd like
4:20 - 4:22

to do in Splunk, it's very likely that
4:22 - 4:23

you'll be able to find out how to do it
4:23 - 4:26

by looking through this documentation.
4:27 - 4:29

This webinar's about
4:29 - 4:30

dashboards--so how do we make your
4:30 - 4:34

dashboards? Click on the Dashboard
4:34 - 4:37

button primarily, and then the next button
4:37 - 4:39

you will click is Create Dashboard.
4:39 - 4:41

You will be faced with this pop-up here.
4:41 - 4:44

This is where you set the
4:44 - 4:46

premises for the dashboard you're making.
4:46 - 4:48

Things that you need to
4:48 - 4:51

fill in are the dashboard title,
4:51 - 4:54

the permissions, whether you're using
4:54 - 4:56

Classic Dashboards or Dashboard Studio.
4:56 - 5:00

In this webinar, we'll be using Dashboard Studio.
5:01 - 5:03

Classic Dashboards and Dashboard
5:03 - 5:06

Studio have different functionalities.
5:06 - 5:08

Dashboard Studio is the
5:08 - 5:11

newer version--the newer offering by Splunk--
5:11 - 5:12

and they're working to catch up with
5:12 - 5:14

some of the functionality from Classic
5:14 - 5:17

Dashboards. Dashboard Studio also has
5:17 - 5:19

extra functionality that you can't get
5:19 - 5:22

in Classic Dashboards. As I said, this
5:22 - 5:25

webinar will be using Dashboard Studio,
5:25 - 5:27

so we'll see some of the functions and
5:27 - 5:28

settings and stuff that we can use
5:28 - 5:31

that are exclusive to Dashboard Studio.
5:31 - 5:36

And finally, absolute or grid layout mode.
5:36 - 5:37

What that means will
5:37 - 5:39

be really much more obvious once we get
5:39 - 5:42

into editing the dashboard. But as it
5:42 - 5:44

says there, if you choose absolute layout,
5:44 - 5:46

you get full control of where you want
5:46 - 5:50

to place your panels, whereas grid snaps to location.
5:52 - 5:55

But before you do that--start with a plan.
5:55 - 5:58

Before making any dashboard, you
5:58 - 6:00

want to go to your end user or your
6:00 - 6:02

customer--or if it's working on your own
6:02 - 6:03

behalf--have a good think about what you
6:03 - 6:06

want this dashboard to show. This is a
6:06 - 6:07

really quick one that I knocked up in
6:07 - 6:11

Microsoft Paint. However, this is the
6:11 - 6:13

sort of thing that I'd like to receive
6:13 - 6:15

from a customer. At this point, I'm not
6:15 - 6:17

particularly interested in what sort of
6:17 - 6:20

Splunk queries they want to run in the
6:20 - 6:22

background. What I want to know is what
6:22 - 6:24

they want their dashboard to show--and
6:24 - 6:28

leave it up to me to figure out how to make that work.
6:28 - 6:31

So on the left, we have a hospital dashboard--
6:31 - 6:34

high-level overview, info
6:34 - 6:37

about number of patients, records
6:37 - 6:39

prior, and detailed view--and a couple of
6:39 - 6:41

notes on the bottom: make it look sleek,
6:41 - 6:44

include color coding. On the right, a
6:44 - 6:46

car factory example. So if we keep
6:46 - 6:48

those two plans in our mind as we go
6:48 - 6:50

through, we're gonna see those
6:50 - 6:52

materialize to life. As I said, at this
6:52 - 6:54

point, I don't want to know about the
6:54 - 6:56

data that powers these dashboards, nor
6:56 - 6:58

the Splunk searches that we'll need to
6:58 - 7:00

run to get it working. I really want to
7:00 - 7:03

know what the customer wants out of their dashboard.
7:05 - 7:07

Once you've got that,
7:08 - 7:11

perhaps counterintuitively, the first thing that
7:11 - 7:13

I suggest you do when making a
7:13 - 7:14

dashboard is add a background.
7:14 - 7:17

The background can really
7:17 - 7:22

provide the skeleton of your dashboard,
7:22 - 7:24

and it can really add context to the data.
7:24 - 7:25

So here are a couple of
7:25 - 7:27

dashboards that we have--prepopulated,
7:27 - 7:30

perfectly fine dashboards--not too busy,
7:30 - 7:33

quite colorful, well-labeled, and make
7:33 - 7:35

sense. But they could be taken to the
7:35 - 7:37

next level by adding a background--and
7:37 - 7:40

we'll see how just now.
7:40 - 7:43

So here we have the left
7:43 - 7:46

dashboard without the background.
7:46 - 7:48

As we transition to the
7:48 - 7:50

background, as we had in our Planets
7:50 - 7:54

Hospital-themed dashboard, we can
7:54 - 7:56

see that these lines that are connected
7:56 - 7:57

up to the data--these are part of the
7:57 - 7:59

background. So the colored lines and the
7:59 - 8:01

boxes are all part of the background
8:01 - 8:04

image, and we can really see how that
8:04 - 8:07

adds context to the data that we're presenting.
8:07 - 8:10

Next, we have
8:10 - 8:15

a car factory. So instead of
8:15 - 8:18

the bare panels, we can arrange
8:18 - 8:22

those panels along the background
8:22 - 8:24

in a way that makes sense. And at a
8:24 - 8:27

glance, we can see that this is to do
8:27 - 8:30

with production lines and where
8:33 - 8:35

the data sits on that
8:35 - 8:39

production line--so where the problems may occur.
8:39 - 8:42

So, how do we add a background?
8:42 - 8:44

Here we have our view
8:44 - 8:45

after we've created a new dashboard.
8:45 - 8:47

We'll be looking over here--create a
8:47 - 8:49

background image. You can drag and
8:49 - 8:53

drop an image file, and it will load
8:53 - 8:56

and be populated into your
8:56 - 9:01

dashboard, or else you can add a URL.
9:01 - 9:04

Out of the box, there are a
9:04 - 9:07

number of configured whitelisted
9:07 - 9:09

URLs that Splunk will use to
9:09 - 9:13

populate backgrounds, and those are all Splunk-related.
9:13 - 9:16

If you have a website--as we do at
9:16 - 9:19

Somerford and Associates--you'll have to
9:19 - 9:22

whitelist that website to be able to get
9:22 - 9:26

your image populated in your dashboards.
9:30 - 9:32

So here I've used the URL of one of
9:32 - 9:34

the Splunk ones, and here's a good
9:34 - 9:37

point to bring in some context to
9:37 - 9:39

this webinar. We'll be using data that's
9:39 - 9:41

themed around a company called Buttercup
9:41 - 9:45

Games. This is the Buttercup Games
9:45 - 9:47

background. Buttercup Games sell all sorts
9:47 - 9:51

of different things--nerdy apparel,
9:51 - 9:55

games, and things associated with those.
9:55 - 9:58

And we'll see the theme of that as we
9:58 - 10:00

go through the dashboard.
10:00 - 10:02

So we've added the background, and we
10:02 - 10:04

can see now the skeleton of what we
10:04 - 10:07

want our dashboard to look like. It
10:07 - 10:09

will help when we're arranging our
10:09 - 10:12

panels--where we want to put them.
10:12 - 10:16

So how do we add our panels? Well,
10:16 - 10:17

the first thing to think about is the
10:17 - 10:20

best way to visualize the data that you
10:20 - 10:22

are trying to present--whether that's
10:22 - 10:26

going to be a pie chart, a table, or a
10:26 - 10:28

bar chart. The location of panels and the
10:28 - 10:29

orientation of panels--those go hand
10:29 - 10:32

in hand. You want to try and tell a
10:32 - 10:35

story--a logical story--in your
10:35 - 10:37

dashboard. Try to keep related things
10:37 - 10:39

nearby and make it simple for the user
10:39 - 10:44

to follow. Very importantly, don't overload with information.
10:47 - 10:49

So how do we add a panel?
10:49 - 10:50

There are a few different ways. You can do
10:50 - 10:52

it directly from the dashboard, but in
10:52 - 10:54

this case, we are doing it from a search
10:54 - 10:58

we've run. Search is not
10:58 - 11:01

the topic of this webinar, so we
11:01 - 11:02

won't dig too much into the search that
11:02 - 11:05

we have run. Suffice to say that I've run
11:05 - 11:09

a search here in Splunk
11:09 - 11:11

and ended up with a table. What you
11:11 - 11:13

need to do is click “Save As”
11:13 - 11:18

over here and save it to an existing dashboard.
11:18 - 11:21

Then it's as simple as finding your
11:21 - 11:23

dashboard, making sure it's
11:23 - 11:25

ticked, and giving it a panel title
11:25 - 11:27

(that's optional). It's definitely best
11:27 - 11:30

practice to give a panel title that
11:30 - 11:32

really explains what that panel is going to do.
11:32 - 11:35

Then press “Save to Dashboard”--and
11:35 - 11:36

there we are.
11:36 - 11:40

We've added our first panel to our dashboard.
11:40 - 11:42

It's fine. We can see that
11:42 - 11:43

we've got products, we've got purchases,
11:43 - 11:46

and the revenue that we're generating off those products.
11:46 - 11:49

But we might be able to
11:49 - 11:54

improve it by using a few formatting options.
11:54 - 11:55

There are
11:55 - 11:56

loads and loads of formatting options
11:56 - 11:58

when you come in to make a panel--and
11:58 - 12:01

dashboards themselves, for that matter.
12:01 - 12:03

Some of them are on the screen now. And
12:03 - 12:06

when we go to the live portion
12:06 - 12:07

of the webinar, where I go into some
12:07 - 12:09

different dashboards, we'll have a look
12:09 - 12:11

at some of the formatting options there.
12:11 - 12:14

But for this case,
12:14 - 12:18

here's the same table after using some formatting options.
12:18 - 12:21

I've used color for
12:21 - 12:24

the purchases to illustrate whether
12:24 - 12:27

those are good numbers or bad numbers,
12:27 - 12:28

and then added a couple of pound signs
12:28 - 12:33

there as well just to show that that's money.
12:35 - 12:38

Next: adding more panels. So the
12:38 - 12:40

different types of panels that you can minute.
12:40 - 12:42

add--the different format options.
12:42 - 12:45

Choose your visualizations to
12:45 - 12:48

suit the data. Panel titles--don't forget
12:48 - 12:50

those. Chart type and the time range
12:50 - 12:52

picker--that will show you how far back
12:52 - 12:55

in time you want your dashboard to look.
12:55 - 12:58

And drilldowns is a more
12:58 - 13:00

advanced formatting option, where
13:00 - 13:02

you can set the behavior if you click on
13:02 - 13:04

each panel--what that behavior will do.
13:04 - 13:07

We'll talk about that more in a minute.
13:07 - 13:10

So I've just chucked in a new panel--
13:10 - 13:13

this time a pie chart--
13:13 - 13:17

continuing to add panels to our dashboard.
13:17 - 13:20

A few different visualization types
13:20 - 13:21

now: we've got tables, we've got pie
13:21 - 13:25

charts, and we've got a stacked pie chart.
13:25 - 13:28

And finally, down there on the bottom right, a single value.
13:33 - 13:34

Don't forget to save your dashboard
13:34 - 13:36

as you're going through. As we can see
13:36 - 13:39

there: "Success. Dashboard saved." Make
13:39 - 13:40

sure you save your dashboard as you go
13:40 - 13:41

along, because if you navigate away from
13:41 - 13:43

it, you might lose your progress.
13:43 - 13:46

Here, we've added an image of
13:46 - 13:48

the Somerford logo because I wanted to
13:48 - 13:51

illustrate the drilldown mechanic
13:51 - 13:54

that you can add to a dashboard.
13:54 - 13:56

So how do we do that?
13:56 - 14:00

Click on the image in this case--or
14:00 - 14:03

the panel or the object within the
14:03 - 14:05

dashboard. And on the right-hand side,
14:05 - 14:07

you'll get an options menu to
14:07 - 14:11

configure your object. In our case,
14:11 - 14:13

we're going to add a drilldown. So there
14:13 - 14:16

we go--drilldown. To add a drilldown,
14:18 - 14:21

you've got on-click options.
14:21 - 14:23

So there's stuff such as "link to
14:23 - 14:23

another
14:23 - 14:27

dashboard," "link to a search," and you
14:27 - 14:29

can decide whether you want that in a
14:29 - 14:31

new tab or the tab that you're already in.
14:31 - 14:33

In our case, we're going to link to
14:33 - 14:35

a custom URL. So I've linked it there to
14:35 - 14:37

the Somerford website. When the
14:37 - 14:39

end user is using this dashboard, if they
14:39 - 14:42

click that image, they will navigate to the
14:42 - 14:45

Somerford & Associates website.
14:53 - 14:55

I'll move on over now to the
14:55 - 14:57

live portion of the demo, in which we're
14:57 - 14:59

going to have a look at three different
14:59 - 15:01

demo environments that we've spun up in
15:01 - 15:04

Splunk that are populated with fake, fake data.
15:04 - 15:07

But there's a number of
15:07 - 15:08

dashboards that we could have a look at,
15:08 - 15:11

and we'll see some of the good and
15:11 - 15:13

bad points of those dashboards.
15:14 - 15:17

So the first one I've clicked into here--
15:17 - 15:21

Financial Crime--is the theme of this dashboard.
15:22 - 15:25

This is what I would say is the
15:25 - 15:27

executive summary page of this
15:27 - 15:30

environment--so the control room, as it's
15:30 - 15:35

called. Here we have a number of panels
15:35 - 15:38

that are well labeled, so we
15:38 - 15:40

can kind of tell what's going on at a
15:40 - 15:41

glance. We can see different accounts
15:41 - 15:47

there that are important and a number of different visualizations.
15:47 - 15:49

In these environments
15:49 - 15:50

that Splunk has spun up as demos, sometimes
15:50 - 15:54

they use a visualization that
15:54 - 15:56

might not be the most applicable to
15:56 - 15:58

the data--mainly because they want to
15:58 - 16:02

just show off some of the different visualizations that are possible.
16:02 - 16:04

But all in all, not a bad dashboard.
16:04 - 16:06

I'd say at the top here, we
16:06 - 16:08

could probably use a bit of color. "Number
16:08 - 16:11

of potential account takeovers: 21." Is
16:11 - 16:14

that good? Is that bad? Not too sure. And
16:14 - 16:15

again, they could have had trend lines.
16:15 - 16:17

Are we going in the right direction
16:17 - 16:19

or a bad direction? For this one, I
16:19 - 16:22

wanted to show--pretty sure they've added
16:22 - 16:24

So that's going to
16:24 - 16:26

open in a new tab. It'll bring us to the
16:26 - 16:28

account takeover dashboard,
16:30 - 16:31

enabling the analyst who will be
16:31 - 16:35

using this to dive deeper into the
16:35 - 16:38

account takeovers happening in this
16:38 - 16:41

environment. Again, lots of high-level
16:41 - 16:43

stats across the top. Are they good? Are
16:43 - 16:46

they bad? It's not clear whether
16:46 - 16:49

858 is a good number or a bad
16:49 - 16:51

number, so they could have a bit of color
16:51 - 16:54

there, and again, a trend line.
16:54 - 16:57

Here's one that we haven't
16:57 - 16:59

touched on yet: mapping. You can add
16:59 - 17:01

maps to Splunk—different types of maps.
17:01 - 17:05

Choropleth maps is this one, and you can see that
17:08 - 17:10

there it's connections from risky or
17:10 - 17:13

unusual countries. So in your business, if
17:13 - 17:14

you're expecting everyone to log in from
17:14 - 17:16

the UK or perhaps America, and you're
17:16 - 17:19

getting a bunch of login attempts
17:19 - 17:21

from China, that's probably suspicious--
17:21 - 17:23

maybe something to have a look at.
17:23 - 17:26

As we scroll down, it's quite a
17:26 - 17:29

large dashboard, but this, I would expect,
17:29 - 17:31

would be more for the analyst who's
17:31 - 17:33

actually working on it rather than
17:33 - 17:37

someone looking for a high-level overview.
17:39 - 17:42

We'll move on to
17:42 - 17:45

the transaction fraud page.
17:49 - 17:51

Here we are. Yeah. So similar
17:51 - 17:54

sort of thing: high-level stats at the
17:54 - 17:58

top, followed by a number of different visualizations.
17:58 - 18:00

Chart here with a trend line on--
18:02 - 18:06

good use of different colors, I suppose.
18:06 - 18:08

The one I really wanted to show
18:08 - 18:11

off on this one was the risk model clustering.
18:12 - 18:14

Takes a little while to load, and
18:14 - 18:16

we'll see why once it actually loads.
18:16 - 18:22

This, I think in my opinion, is trying to be too clever.
18:22 - 18:27

Looks really cool. We have a 3D model of a risk
18:27 - 18:30

model that's moving in 3D space.
18:30 - 18:34

So there's a third axis to this graph.
18:34 - 18:35

And as I said, it
18:35 - 18:37

looks super cool--it's different colors
18:37 - 18:39

and different things--but it's not clear
18:39 - 18:43

to me at all what this graph is trying to convey.
18:43 - 18:45

So I guess the point I'm
18:45 - 18:48

trying to make there is: make sure that
18:48 - 18:50

your end user understands. Don't go for
18:50 - 18:51

cool points. Make sure that the end user
18:51 - 18:54

understands what you're trying to get
18:54 - 18:56

across. So jumping out of the financial
18:56 - 18:59

part now into a separate environment--
18:59 - 19:03

back to Buttercup Games. This is a
19:03 - 19:06

really good example of a dashboard,
19:06 - 19:09

actually. I'm very impressed with this one.
19:09 - 19:11

The reason I set this environment
19:11 - 19:13

up is because it had a really good
19:13 - 19:15

dashboard and a really bad dashboard,
19:15 - 19:17

but they've removed the bad dashboard
19:17 - 19:20

and they've left the good dashboard. So
19:20 - 19:22

we'll give them some points and tips,
19:22 - 19:25

and we'll talk about it a little bit.
19:25 - 19:27

It's not too busy. This is the
19:27 - 19:29

entirety of the dashboard--really good. So
19:29 - 19:31

we can see customer locations. It's
19:31 - 19:34

really obvious from the panel title
19:34 - 19:36

and the map what's going
19:36 - 19:40

on here. And then again, really
19:40 - 19:42

straightforward use of
19:42 - 19:45

color--the top country--and as you
19:45 - 19:47

click through, it goes from yellow
19:47 - 19:49

through to red. And the best thing about
19:49 - 19:53

this dashboard here is this panel here.
19:53 - 19:58

So they've used this panel as
19:58 - 20:01

a way to pass a token through to the
20:01 - 20:04

graphs below. So it's not really obvious
20:04 - 20:05

because the numbers don't jump around
20:05 - 20:07

too much, but as you click on each of
20:07 - 20:12

these operating systems, the graphs below
20:12 - 20:17

change to reflect only that operating system.
20:17 - 20:21

So we can see here Windows customers have this level of
20:21 - 20:25

spending versus Linux customers
20:25 - 20:29

who have that level of spending. It's
20:29 - 20:32

a really cool advanced feature of the
20:32 - 20:35

dashboard--using the panel to pass a
20:35 - 20:37

token through, pass information down to
20:37 - 20:40

other panels in the dashboard, and act
20:40 - 20:43

as a very fancy filter. So resetting
20:43 - 20:45

there back to all.
20:45 - 20:47

The other dashboard in this
20:47 - 20:50

environment is the Site Status dashboard.
20:50 - 20:53

Again, really impressed with this one.
20:53 - 20:55

Green and red--
20:55 - 20:58

surely we know what those signify.
20:58 - 21:02

Green is good and red is bad.
21:02 - 21:03

Again, not too busy. This is the entirety
21:03 - 21:06

of the dashboard here. So we can see
21:06 - 21:09

the site status--well, we can see the
21:09 - 21:13

site status at a really quick glance.
21:13 - 21:15

Successful versus unsuccessful, and then
21:15 - 21:18

we can see the types of errors here that
21:18 - 21:20

are being reported. And we can see
21:20 - 21:22

again the use of color--the very
21:22 - 21:25

deep red indicates that it's more severe.
21:25 - 21:28

So again, very effective dashboard here.
21:28 - 21:32

Simple use of color, simple
21:32 - 21:35

number of panels. Even I, as a non-web
21:35 - 21:38

developer, can see what's going on
21:38 - 21:41

here and what's good and what's bad.
21:42 - 21:44

The final dashboard that we're
21:44 - 21:45

going to have a look at--or the final
21:45 - 21:46

environment that we're going to have a
21:46 - 21:50

look at--is the InfoSec application and
21:50 - 21:52

a series of dashboards that are built in
21:52 - 21:55

there. The InfoSec app is a free app that
21:55 - 21:57

you can download from Splunkbase. As
21:57 - 22:00

I said before, apps are a bundle of
22:00 - 22:02

configuration files that come
22:02 - 22:03

pre-packaged along with a bunch of
22:03 - 22:05

dashboards and searches that power
22:05 - 22:07

those dashboards. You can download
22:07 - 22:09

this from Splunkbase for free. All you
22:09 - 22:11

need to provide is the data to power
22:11 - 22:12

these dashboards, and it will work just as
22:12 - 22:14

as we're going to have a look at.
22:14 - 22:16

The first one we're going to take a
22:16 - 22:19

look at is the Executive View. Here we
22:19 - 22:22

can see a very high-level view of
22:22 - 22:24

what's going on in this environment.
22:24 - 22:26

The story of this environment is that
22:26 - 22:29

this network has been attacked and has malware
22:29 - 22:32

on it. We can see here from across the
22:32 - 22:37

top--red and blue--attacks being
22:37 - 22:40

stopped, malware that has been
22:40 - 22:41

blocked in the last 24 hours, and the
22:41 - 22:44

number of devices protected on the right.
22:44 - 22:45

This dashboard is not very
22:45 - 22:47

interactive, and I think that's probably
22:47 - 22:51

a designer's deliberate choice
22:51 - 22:54

because it's designed for the Executive
22:54 - 22:57

View--exactly as it says.
22:57 - 22:59

And you don't want to overcomplicate that. You
22:59 - 23:01

want to keep it very high level, make it
23:01 - 23:04

very clear what's going on so that
23:04 - 23:06

the decision-maker can make the decision
23:06 - 23:07

they need to make.
23:07 - 23:12

Next, we'll take a look at Security Posture.
23:12 - 23:15

A little bit more detailed--
23:15 - 23:17

lots of different visualizations in this one.
23:17 - 23:19

Again, the use of color--they've used
23:19 - 23:22

red and blue here.
23:22 - 23:24

These are showing up as red because
23:24 - 23:28

it's considered bad. If the number
23:28 - 23:29

was different,
23:29 - 23:31

it wouldn't be red, and you can configure
23:31 - 23:34

those thresholds however you'd like.
23:36 - 23:38

Like I said, number of different
23:38 - 23:40

visualizations--bar charts and graphs.
23:40 - 23:41

We don't have so much information
23:41 - 23:44

in this because it's a demo environment--
23:44 - 23:46

it's just been spun up.
23:47 - 23:52

Going through to the Network
23:52 - 23:54

Traffic dashboard, this is a good one to
23:54 - 23:56

look at. This is the one that really
23:56 - 23:58

tells the story of this environment.
23:58 - 23:59

Number of different tables
23:59 - 24:01

and different visualizations with
24:01 - 24:03

effective color formatting.
24:03 - 24:06

This is the panel of interest I
24:06 - 24:09

wanted to show for this demo. Using these
24:09 - 24:12

boxes here, we can filter to different
24:12 - 24:13

things, and there are numerous
24:13 - 24:15

different ways to do that. We can type
24:15 - 24:17

in there. Currently, it's populated with
24:17 - 24:19

an asterisk, which is the wildcard
24:19 - 24:21

character for Splunk, which means everything.
24:21 - 24:23

Or we can click down in
24:23 - 24:26

this table here, click on BitTorrent, and
24:26 - 24:29

that will populate the filter up here at
24:29 - 24:31

the top. And then we'll see all of the
24:31 - 24:35

hosts and information specific to the BitTorrent app.
24:36 - 24:39

We can see here--not important for
24:39 - 24:40

this demo--but what we can see is that
24:40 - 24:41

there's a number of hosts that have been
24:41 - 24:43

using BitTorrent and accidentally
24:43 - 24:45

downloaded some malware.
24:45 - 24:46

But from the dashboarding
24:46 - 24:47

point of view, we can see the different
24:47 - 24:50

sorts of panels and formatting options
24:50 - 24:52

and the different ways to add different
24:52 - 24:55

filters, and how to populate those
24:55 - 24:57

filters by using the drilldown actions.
24:57 - 24:59

The next one I wanted to take a look
24:59 - 25:02

at is under the Advanced Threats tab
25:02 - 25:04

and Network Anomalies.
25:04 - 25:07

This panel down at the
25:07 - 25:08

bottom is one of my favorite panels that
25:08 - 25:11

I get to show off, because it
25:11 - 25:14

shows--as it loads…
25:14 - 25:17

loads access anomalies rather because it
25:17 - 25:19

shows uh one of the real powers of
25:19 - 25:22

Splunk it's taking information from
25:22 - 25:24

disperate data sources and giving you
25:24 - 25:25

conclusions that you might not have been
25:25 - 25:28

able to find if you were um operating in
25:28 - 25:31

data signers so here we have
25:31 - 25:34

geographically improbable
25:34 - 25:38

access um we can see here that the user
25:38 - 25:41

eford was in the city of gizer in Egypt
25:41 - 25:44

and then a very short time later he was
25:44 - 25:47

in Japan um just for a bit of
25:47 - 25:49

information a bit of fun you can see
25:49 - 25:50

there the speed at which he may have had
25:50 - 25:53

to travel to to make that condition true
25:53 - 25:55

he'd have to have moved around the world
25:55 - 25:59

at uh 1,281 miles hour and
25:59 - 26:01

Splunk is flagging up that it's very
26:01 - 26:03

improbable that this one guy is in these
26:03 - 26:07

two places at such close um period of
26:07 - 26:09

time and what I said about bringing data
26:09 - 26:11

together and not keeping it in silos so
26:11 - 26:13

in one um data repository you have the
26:13 - 26:17

fact that efield has logged in uh and in
26:17 - 26:18

another data C you have geographic
26:18 - 26:20

information and you stick those two
26:20 - 26:22

together and you can see here that this
26:22 - 26:25

guy is probably not withen around the
26:25 - 26:29

world like Superman and you may have uh
26:29 - 26:33

the indications of a compromise of this
26:36 - 26:38

account um that's all I wanted to show
26:38 - 26:41

in in the infos SEC application so we'll
26:41 - 26:45

go back to the PowerPoint
26:45 - 26:48

um so last thing I wanted to speak about
26:48 - 26:50

is the upcoming events um sum food are
26:50 - 26:52

always running workshops and events if
26:52 - 26:54

you want to find out what's coming up uh
26:54 - 26:56

navigate over to the website and have a
26:56 - 27:00

look um suit associates.com SL events
27:00 - 27:01

and we can see here the specific Splunk
27:01 - 27:04

events but we do do um events and other
27:04 - 27:07

Technologies too uh check out all the
27:07 - 27:08

upcoming webinars and workshops that
27:08 - 27:09

we're
27:09 - 27:11

hosting and if you want to join uh just
27:11 - 27:12

click on the register button and
27:12 - 27:14

sometimes you even get a little uh
27:14 - 27:16

goodies if you
27:16 - 27:19

join if you have any questions please
27:19 - 27:21

feel free to uh email info suf
27:21 - 27:23

associates.com that's questions about
27:23 - 27:26

Splunk or dashboarding specifically but
27:26 - 27:28

also any wider questions about sumed and
27:28 - 27:30

spun in
27:30 - 27:32

general thank you for attending this
27:32 - 27:35

webinar uh it's been a pleasure to speak
27:35 - 27:36

to you about dashboarding hopefully you
27:36 - 27:41

learn something and uh for now
27:41 - 27:44

goodbye

Title:: How to Create Advanced Splunk Dashboards, Panels and Reports — Creating Management-Ready Dashboards
Description:: more » « less
Video Language:: English
Duration:: 27:42

	OEVIDEOS edited English subtitles for How to Create Advanced Splunk Dashboards, Panels and Reports — Creating Management-Ready Dashboards
	OEVIDEOS edited English subtitles for How to Create Advanced Splunk Dashboards, Panels and Reports — Creating Management-Ready Dashboards
	OEVIDEOS edited English subtitles for How to Create Advanced Splunk Dashboards, Panels and Reports — Creating Management-Ready Dashboards
	OEVIDEOS edited English subtitles for How to Create Advanced Splunk Dashboards, Panels and Reports — Creating Management-Ready Dashboards

English subtitles

Revisions Compare revisions

Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

How to Create Advanced Splunk Dashboards, Panels and Reports — Creating Management-Ready Dashboards

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)