Event Calendar Custom Visualization

A while back, I wrote a blog post about using a custom calendar visualization in Simple XML dashboards.  To accomplish this, I used a technique sometimes referred to as escape hatching JavaScript into Simple XML.    While this works okay for a developer, the technique does not lend itself well to the end user.

Splunk Custom Visualizations

Splunk 6.4 introduced reusable custom visualizations which allows a developer to package up a visualization and integrate it into Splunk just like the native visualizations.  This also addresses the limitation mentioned above – meaning any end user can use the visualization without mucking around with the Simple XML.

So, revisiting the older escape hatch calendar technique, I thought it would be a good exercise to convert the calendar into a custom visualization.  The calendar is now available on Splunkbase, and several new features have been added.

Using the Calendar in Splunk

The calendar expects a search exposing _time and a count.  The timechart search command does a good job of this.  For example, the following search:

index=_internal | timechart span=1d dc(sourcetype) AS sourcetypes dc(source) as sources dc(host) as hosts

produces some nice tabular data like so:

The calendar visualization can take this data and visualize it on a calendar like this:

There are some formatting options as well.

Try it out yourself and go download it on Splunkbase.

Special shout-out to the Summer Interns who helped… Yue Kang, Nic Stone, and Phillip Tow!