In the third segment of the series on Splunk, we will continue from where we left off in last post and explore some more features of Splunk as well as the creation of Reports and Dashboards in Splunk. We will use Splunk 7.0.1 that we installed in
the earlier post for all our work.
We added the data in file employees.csv without treating HIRE_DATE as a date. The result of this is that when try to sort on date, we get incorrect result as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "S*" | sort hired_date desc
The results are shown below:
Note that HIRE_DATE is not sorted correctly as this field is nit recognized as a date field. So, we can use the strptime function as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | eval hired_date = strptime(HIRE_DATE,"%d-%b-%y") | sort hired_date desc
The results are shown below:
Let us further create a table containing fewer fields to make sense of the sort as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "S*" | eval hired_date = strptime(HIRE_DATE,"%d-%b-%y") | sort hired_date desc | table FIRST_NAME LAST_NAME SALARY HIRE_DATE
The results are shown below:
Let us save this as a report so that we can refer to it later:
On the Save As Report window, enter Employee Subset by Salary for Title and select No for Time Range Picker and click on Save:
On the next window, click on Permissions to grant others to see and run this report:
On the next window, select Apps and also Read for Everyone and click on Save:
Then, this report can be seen after clicking Reports menu:
You can see the report link highlighted below:
Click on Search above and then, a new search with below criteria:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "S*" | eval hired_date = strptime(HIRE_DATE,"%d-%b-%y") | sort hired_date desc | table LAST_NAME SALARY
The results are shown below:
Click on Visualization above to see column chart as shown below:
Save this report as Employee Salary Chart. Once this report is saved, click on Dashboard as shown below:
On the window, click on Skip:
Click on Create New Dashboard to create a new Dashboard:
On the window, enter Title as shown and click on Shared in App in Permissions and clik on Create Dashboard:
On the created Dashboard, click on +Add Panel:
On the Add Panel window, that pops in from the right, locate the reports we just created:
Select the Employee Subset by Salary Report. This shows details about the report. Then, click on Add to Dashboard:
This will add the report to the dashboard as shown below:
In the same way, add the Employee Salary Chart to the Dashboard:
Note that it appears below the previous report. Click on Save on right top:
This completes the creation of the Dashboard
We added the data in file employees.csv without treating HIRE_DATE as a date. The result of this is that when try to sort on date, we get incorrect result as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "S*" | sort hired_date desc
The results are shown below:
Note that HIRE_DATE is not sorted correctly as this field is nit recognized as a date field. So, we can use the strptime function as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | eval hired_date = strptime(HIRE_DATE,"%d-%b-%y") | sort hired_date desc
The results are shown below:
Let us further create a table containing fewer fields to make sense of the sort as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "S*" | eval hired_date = strptime(HIRE_DATE,"%d-%b-%y") | sort hired_date desc | table FIRST_NAME LAST_NAME SALARY HIRE_DATE
The results are shown below:
Let us save this as a report so that we can refer to it later:
On the Save As Report window, enter Employee Subset by Salary for Title and select No for Time Range Picker and click on Save:
On the next window, click on Permissions to grant others to see and run this report:
On the next window, select Apps and also Read for Everyone and click on Save:
Then, this report can be seen after clicking Reports menu:
You can see the report link highlighted below:
Click on Search above and then, a new search with below criteria:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "S*" | eval hired_date = strptime(HIRE_DATE,"%d-%b-%y") | sort hired_date desc | table LAST_NAME SALARY
The results are shown below:
Click on Visualization above to see column chart as shown below:
Save this report as Employee Salary Chart. Once this report is saved, click on Dashboard as shown below:
On the window, click on Skip:
Click on Create New Dashboard to create a new Dashboard:
On the window, enter Title as shown and click on Shared in App in Permissions and clik on Create Dashboard:
On the created Dashboard, click on +Add Panel:
On the Add Panel window, that pops in from the right, locate the reports we just created:
Select the Employee Subset by Salary Report. This shows details about the report. Then, click on Add to Dashboard:
This will add the report to the dashboard as shown below:
In the same way, add the Employee Salary Chart to the Dashboard:
Note that it appears below the previous report. Click on Save on right top:
This completes the creation of the Dashboard