Spread our blog

Calendar – Custom Visualization

Hi Splunkers!
Hope you are doing good. Today in this blog we will discuss about Calendar – Custom Visualization, which is a really cool and useful element that one can use to enhance the visualization of Splunk dashboard. If you have dashboard panels which indicate results based on Days or weeks or months, then this is for you.

Step 1:
At the beginning download this following app from Splunk base by clicking this below link.
https://splunkbase.splunk.com/app/3372/

Step 2:

After completion of your download, log in to your Splunk server to install the app.

1
We will land in the Search and reporting app (can be different for you), then click on the App from the top bar and click on Manage Apps.

2
After that click on Install app from file.

3
In the Upload app section select the downloaded app file by clicking Choose file and then click on Upload. You can find this option on the top right corner.

4
After successful installation, go to the Search and Reporting app.

Step 3:
Now in our case we took this query and result to visualize in the form of Calendar.

index=_internal 
| timechart span=1d dc(sourcetype) AS Sourcetypes dc(source) as Sources dc(host) as Hosts

6

Explanation:
At first we took data from _internal index and then using a timechart command with a span of one day, we tabled a number of Hosts, Sourcetypes and Sources that were there each day in the last 30 days. Run this query in Fast Mode otherwise it will take too much of your time to run.
Now click on save as a dashboard panel from the top.

You can also know about :  How to Make The First Value of a Dropdown as Default Value

7

8
9

Now after creating the dashboard click on View Dashboard to open it.
Now click on Edit option in the dashboard.

10
Click in Select visualization and select Calendar from the drop down list.

11
Save it and one can see the changes in the visualization, now it looks superb right.

12
You can see the number of Hosts, Sourcetypes and Sources within the Calendar.

NOTE: In this visualization _time field is mandatory, and you cannot use any 
      other command other than timechart, because here span is a mandatory
      function.I know we can use span with the bin command also but it 
      will not work here. We will prove you.

We tried using this query which basically gave us the same result as early.

index=_internal 
|bin span=1d _time
| stats dc(sourcetype) AS Sourcetypes dc(source) as Sources dc(host) as Hosts by _time

But if I try to convert it into a Calendar visualization then it will show an error like this.

13
I Hope you have understood this topic on Calendar – Custom Visualization.

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
+1
+1
2
+1
+1

Spread our blog

LEAVE A REPLY

Please enter your comment!
Please enter your name here