Splunk tile

About Splunk tiles

Splunk tiles offer you an easy way to display data from your Splunk instance in a SquaredUp DS dashboard.

A Connect edition license (or above) is required for this feature. To upgrade please contact [email protected].

How to configure a Splunk tile

If you don't already have a Splunk provider, you need to create one before you can configure a Splunk tile (How to add a Splunk provider).

  1. Add a new tile to a dashboard and click on Integrations > Splunk.
  2. Select the visualization for your Splunk tile and click next.

  3. Scope:
    Select the scope for your tile (optional).

  4. Provider:
    Select your Splunk provider from the select provider drop-down and click next.

    You can only use providers of the same type as the tile. Providers of other types won't be shown in the select provider drop-down.

  5. Search:
    Enter your Splunk search query using the Search Processing Language (SPL).
     
    templates button:
    Allows you to import searches that are saved in your Splunk instance.

    Which templates are available in a Splunk tile depends on the permissions of the Splunk user account that is used in the configuration of the Splunk provider. Any search queries that this user can access in Splunk (for example, queries in saved searches, Splunk reports, dashboards, etc.) are visible as templates in Splunk tiles. For example, if you used Splunk User A for the configuration of Splunk provider A, a Splunk tile that uses Splunk provider A will show all templates that are visible to Splunk User A in Splunk.

    If you defined a scope you can use the mustache picker

    to insert scope variables (values that refer only to the defined scope) into your query.

    You can use the clock insert time value button

    to insert page timeframe and date variables in your query.

    The insert time value button inserts time values into the query. Any settings selected from the timeframe section are also applied to further filter down the results of the query. So time settings from both the query and the timeframe affect the results shown, and should be used with care or you may not see all the data you were expecting.

     

  6. Timeframe:

    The insert time value button inserts time values into the query. Any settings selected from the timeframe section are also applied to further filter down the results of the query. So time settings from both the query and the timeframe affect the results shown, and should be used with care or you may not see all the data you were expecting.


    Optionally, you can set the timeframe outside of the search:
    Specific timeframe:

    If you used a template, SquaredUp DS inherits the timeframe you set for the search in Splunk and puts it in the timeframe field as a specific timeframe.
    If you defined a scope, you can use the mustache picker to create a specific timeframe that considers the scope


    use page timeframe:
    A dynamic timeframe that depends on the current page timeframe.

     
  7. Configure the settings for the visualization you chose:
  8. Click done to save the tile.
    The tile now shows data according to your search.

Tips for using the page timeframe in Splunk tiles

Using page timeframe means your search query will adapt to the dynamic page timeframe.

While being able to change the timeframe dynamically brings a lot of flexibility for showing data over different timeframes in the same tile, it can also mean that some page timeframe settings are not ideal for your intended search:

  • The tile shows no data because the current page timeframe is too short for the fixed time span in your search query. In this case, you can use the page timeframe instead of fixed values in the search query
  • The loading time for the tile is very long because the current page timeframe is too long for the search query. In this case, you can use the page timeframe in the specific timeframe setting to put a cap on the page timeframe that can be used.

Using the scope in the timeframe setting

If you defined a scope you can use the mustache picker

to insert scope variables (values that refer only to the defined scope) into your query.

Using the scope with fixed values
You can use fixed values for creating a specific timeframe that considers the scope.

Example:
You want to create a timeframe that considers how many items are in the scope. If there are less than 100 items, you want the timeframe to be 12 hours, if there are more than 100 items, you want the timeframe to be 1 day.

timeframe setting: specific timeframe

{{scope.length > 100 ? '-12h' : '-1d'}}

Using the scope with the page timeframe
You can use the dynamic page timeframe for creating a specific timeframe that considers the scope.

Example:
You want to create a timeframe that puts a cap on the page timeframe that can be used depending on the size of the scope. If the scope has more 100 items in it, you want the longest possible page timeframe setting to be 1 day (this means if the page timeframe is set to "last 12 hours", the page timeframe will be used, but if it is set to "last 6 months", this will be ignored and 1 day will be used). If the scope has less than 100 items in it, you want the timeframe to adjust to any page timeframe.

timeframe setting: specific timeframe

{{ timeframe.unixStart < Date.now()-(86400*1000) && scope.length > 100 ? '-1d' : timeframe.isoStart }}

Was this article helpful?


Have more questions or facing an issue?