SplunkStart for Beginners and Advanced Users

Imagine you're a new user who just downloaded Splunk and read the tutorial (or followed the getting started part of the tour) to get data in. You even managed to get some fields extracted using the interactive field extractor that comes with Splunk. But now you want to create dashboards in Splunk in less than a hour to impress your co-workers and management to get a project started.

Although the time to become productive with Splunk is very quick, for a new user, one hour with your own data is probably stretching the limits. There has to a be a faster way.

In a different scenario, you're a power user with Splunk or an admin and have to create the same types of dashboards several times for different groups showing the same patterns, but with different data. You have a dashboard that shows 75 percentile for CPU, memory, company voting records, badge check-ins, github downloads, etc. It's the same dashboard, but it's repeatedly created multiple times, so it'd be nice to create a template-based dashboard to give to less than power users. They can simply plug in their index, sourcetype, and field names to produce their own dashboards and allow them to update them at will.

For both these scenarios, SplunkStart was created in 2017 and is downloadable from Splunkbase for free. I created the framework and our summer intern, David McDonald, created the configuration pages to update existing and new content. We're hoping that this approach will increase your productivity with Splunk.

Let's start with new users first.

Introduction

After downloading SplunkStart and installing it on the search head or standalone Splunk instance (which means untaring it into the $SPLUNK_HOME/etc/apps directory and restarting Splunk), you're ready to start. There are pre-requisites that the app will tell you about to install advance visualizations from Splunkbase and to optionally install the Splunk Event Generator and Cisco TA to see sample data in the available dashboards. You first get the introduction page.

This tells you the basics on how to use the app and has permanent links to the out of the box template dashboards. If you installed the Splunk Event Generator and Cisco TA, click on some of the out of the box dashboards to see what they look like. For instance, here's a map and choropleth map dashboard.

Here's a sample Advanced Visualizations Dashboard:

Each panel will have comments in blue and a Show SPL button to see how the underlying search and corresponding macro works. For instance:

It also contains the macro that powers the search. Okay, this is fine, but how do you use your own data to power the template-based dashboards?

First, if you don't know your field names, click on the Discover Fields menu button to open it in a new tab and then click on your index and sourcetype.

Field names will now appear. Take note on the names, type (numeric, string, or IP), and cardinality. The cardinality tells you how many unique values were found for that field name in the time range. A high cardinality (greater than 100) would not be good for a visual timechart command, but may be better suited for a stats command. Next, let's start changing the macros that drive the searches for the dashboards using the Configure Splunk Start App menu button.

Click on Modify Dashboard Macros. Here, you'll see a tab for each dashboard that comes with SplunkStart. Let's change the timechart macros to use your data.

Each macro is going to have 4 fields that are always going to be there—index name, sourcetype name, earliest time for the search, and latest time for the search. In our example, they are defaulted to main, cisco:asa, -15m for earliest (last 15 minutes), and now for latest. What you want to do is change one macro at a time to use your index name, sourcetype name, earliest, latest, and whatever fields are required for the macro.

For timechart, a span time is set to 30 seconds and it uses a count or average to compute for a field. Try it with your names and click on Save Macros. Then from the same window, click on See Current Dashboard to see if your change worked. If so, change all the macros on the page to reflect your data and be sure to click on See Current Dashboard to see your changes before moving on to other work.

There's a faster way to do this for advance users in the documentation. After finishing up Timechart, change the other dashboards to use your own data instead of event generated data. Your changes get saved to the local directory of the app.

After changing the dashboard macros, you may want to now change the titles of each panel on each dashboard. Under Configure Splunk Start App, click on Change Dashboard Titles.

The existing titles already appear and all you have to do is override them with your names and click on Save Titles; you can do this for each dashboard (there's a faster way to do this in the documentation for advanced users).

The result is you have out of the box dashboards showing your data with some analytics of the data. You can update the values for macros at any time to try them with new fields or time ranges, give a demo of what you did to others and get instant value out of your data as a beginner. The Show SPL button on each panel will help you learn how the underlying search was written to get you beyond beginner stage.

Advanced Users

As alluded to above, the app is also for advanced users who already know how to write Splunk searches and create dashboards. Suppose you wanted to create a template-based dashboard to add to the ones that already came with SplunkStart. From the Configure Splunk Start Menu button, click on Add New Content.

You first want to create a reusable macro, which can be done under the Add Macro section. I have filled in a sample on the page below.

Next, click on Add Saved Search to fill in values for your macro.

After this, you can create new a dashboard for your saved search or use an existing one—click on Add Dashboard Page to create a new dashboard. Again, I've filled it out below with sample required fields. The name of the dashboard and a label is required.

You can now click on Add Panel to Dashboard to use your saved search for inside your dashboard as a panel. I have filled in our sample panel below.

You need to choose a dashboard, a saved search, type of visualization, and a title for your panel, then click on Save Panel. Your template-based dashboard has now been created. Create more macros, saved searches, and panels for your dashboard and give the app to your user to fill in the macros using their own data. What's cool (thanks, David!) is that your new dashboard appears in the Modify Dashboards Screen just like all other out of the box Dashboards. (The running version of your dashboard appears under the main Dashboards menu). Notice that you can modify the macros right there just like you do in the beginners section.

To prove this app is extendible, I used the main searches/macros from the initial Splunk Security Essentials App (thanks, David Veuve) to create a template dashboard to add to SplunkStart called TA For SplunkStart Basic Security Essentials for Splunk, available on Splunkbase. It comes with a script to add the template dashboards, macros, and saved searches to the local directory of Splunkstart. You can do the same with your own template-based dashboards and add them to other users' SplunkStart installs. This saves a lot of time from having to rewrite the same searches repeatedly, and the macros allow for re-usable content allowing for rapid prototyping and decision making.

Other Uses

SplunkStart also comes with custom search command called mycommand that simply takes a rot13 translation of your raw events and turns them into rot13 format. The intent is to teach advance users how to write a custom search command.

Finally, SplunkStart comes with a sample modular alert that allows you to set up an included custom alert that runs every time the conditions match. The alert writes humorous advice from a web site to your Splunk internal (index=_internal) logs. Again, the intent is to try to teach advance users how write a modular alert for Splunk.

In conclusion, I hope this tool or platform can be useful for both beginner and advanced users to rapidly prototype with Splunk using your own data.

Happy Splunking!