Splunk Custom Visualizations
Splunk 6.4 introduced reusable custom visualizations which allows a developer to package up a visualization and integrate it into Splunk just like the native visualizations. This also addresses the limitation mentioned above – meaning any end user can use the visualization without mucking around with the Simple XML.
So, revisiting the older escape hatch calendar technique, I thought it would be a good exercise to convert the calendar into a custom visualization. The calendar is now available on Splunkbase, and several new features have been added.
Using the Calendar in Splunk
The calendar expects a search exposing _time and a count. The timechart search command does a good job of this. For example, the following search:
index=_internal | timechart span=1d dc(sourcetype) AS sourcetypes dc(source) as sources dc(host) as hosts
produces some nice tabular data like so:
The calendar visualization can take this data and visualize it on a calendar like this:
There are some formatting options as well.
Try it out yourself and go download it on Splunkbase.
Special shout-out to the Summer Interns who helped… Yue Kang, Nic Stone, and Phillip Tow!