TIPS & TRICKS

What’s New for Developers in Splunk 6

With Splunk Enterprise 6, we’ve delivered capabilities to bring operational intelligence to everyone across the organization. Key to driving operational intelligence across the enterprise with Splunk are, of course, developers. Developers instrument the logs, integrate the data and build the apps to make it happen. In Splunk 6 there are two great new features that make it easier for developers to quickly and efficiently build powerful Splunk apps: the Splunk Web Framework and Data Models

The Splunk Web Framework

The Splunk Web Framework, which was first made available in preview in February, enables developers to use the tools and languages they know to build Splunk apps with custom dashboards, flexible UI and custom data visualizations. Building a Splunk app now looks and feels like building any modern web application, making Splunk development accessible to millions of professional developers around the world. With the Web Framework, developers can easily integrate third-party data visualizations and UI components working with HTML5 and JavaScript.

One of the benefits of the Web Framework is its flexibility – developers can choose to build their Splunk app using Simple XML, JavaScript or Django (or any combination thereof). Simple XML is ideal for fast, lightweight app customization and building and requires minimal coding knowledge, making it well-suited for Splunk power users in IT to get fast visualization and analytics from their machine data. You can also edit and convert a SimpleXML dashboard to HTML with one click to do more powerful customization and integration with JavaScript.

Developers looking for more advanced functionality and capabilities can build Splunk apps from the ground up using popular, standards-based web technologies: JavaScript and Django. The Web Framework lets developers quickly create Splunk apps by using prebuilt components, styles, templates, and reusable samples as well as supporting the development of custom logic, interactions, components, and UI.

Here’s an example of how to use a Django template tag to create a Chart view using the Web Framework:


{% chart id="mychart" managerid="mysearch" type="line" %}

Now here’s an example of how to use a JavaScript to create a Chart view using the Web Framework:


    var deps = [
        "splunkjs/mvc",
        "splunkjs/mvc/chartview"
    ];
    require(deps, function(mvc) {
        var Chart = require("splunkjs/mvc/chartview");
        new Chart({
            id: "mychart",
            managerid: "mysearch",
            "type": "line",
            el: $("#mychart")
        }).render();
    });

Data Models

Data Models define meaningful relationships in underlying machine data, making the data in Splunk more useful to broader base of users. Unlike data models in the traditional structured world, Splunk Data Models focus on machine data and data mashups between machine data and structured data. Splunk software is founded on the ability to flexibly search and analyze highly diverse machine data employing late-binding or search-time techniques for schema-creation (“schema-on-the-fly”) and Data Models are no exception – they define relationships in the underlying data, while leaving the raw machine data intact, and map these relationships at search time.

Data Models power the new Pivot interface by defining an abstract model of the underlying machine data and meaningful relationships in that data so business analysts can more quickly easily derive insights from their machine data. Data Models also allow developers to abstract away the search language syntax, making Splunk queries more manageable and portable. With Data Models, developers no longer have to embed long, often cryptic query strings in their applications. And since Data Models have inheritance, the relationships between Data Models can be programmaticaly managed. And of course you can use Data Models when building apps with the Web Framework. Working with data models allow developer to focus on coding rather than the search language.

Thanks to Data Models and Pivot, this search:


( sourcetype="access_*" OR sourcetype="iis*" ) ( uri="*" ) uri=* uri_path=* status=* clientip=* referer=* useragent=* ( status=2* ) ( uri_path!=*.php OR uri_path!=*.html OR uri_path!=*.shtml OR uri_path!=*.rhtml OR uri_path!=*.asp ) ( uri_path=*.avi OR uri_path=*.swf ) ( uri_path=*.itpc OR uri_path=*.xml ) | litsearch ( sourcetype=access_* OR sourcetype=iis* ) ( uri="*" ) uri=* uri_path=* status=* clientip=* referer=* useragent=* ( status=2* ) ( uri_path!=*.php OR uri_path!=*.html OR uri_path!=*.shtml OR uri_path!=*.rhtml OR uri_path!=*.asp ) ( uri_path=*.avi OR uri_path=*.swf ) ( uri_path=*.itpc OR uri_path=*.xml ) | eval newX = " " | eval "useragent ::: status"='useragent'+" ::: "+'status' | addinfo type=count label=prereport_events | fields keepcolorder=t "newX" "prestats_reserved_*" "psrsvd_*" "useragent ::: status" | fillnull value=NULL "useragent ::: status" | prestats count by newX "useragent ::: status"

Can be managed as:

| pivot WebIntelligence PodcastDownload count(PodcastDownload) AS "Count of PodcastDownload" SPLITCOL useragent SPLITCOL status FILTER uri isNotNull NUMCOLS 100

Get Started

----------------------------------------------------
Thanks!
Jon Rooney

Splunk
Posted by

Splunk

Join the Discussion