TIPS & TRICKS

Yet Another Update to the Keyword App

The last time I updated the Keyword app and the let world know about it in my blog post "Another Update to Keyword App" was over two years ago, which makes me feel as if people must have forgot about it. Today, I'd like to announce another update.

Before we get to the update, let's recap what the Keyword app on Splunkbase does. The Keyword App is a series of dashboards that provide simple analytics on indexed Spunk data without having to know any Search Processing Language (SPL) or knowing how to extract fields at search time. All you have to do is pick an index from a dropdown and type some keyword such as error or success or blue or whatever you want, and analytics happen for that dashboard. Example analytics include tops, rares, baselines, predicts, slopes, and grouped (clustered) events. The app does not index any data and relies on the data that you have in Splunk to do the work. It's installed on a search head and can be installed on a standalone Splunk instance.

Updates

The first update to announce is from Splunker Hutch Hutchinson. He created a form search dashboard called Easy Triage which simply finds bad things that may have happened to your events in your index or indices. These "bad things" mean there was either an error, exception, fatal, critical, failure, or status>500 in your data. You can always type in more keywords or use NOT to prevent looking at certain data with a keyword. The results use the Splunk cluster command for event reduction, which means if you have 50,000 events that look the same, only one is printed out so that you don't have to scroll through 50,000 events. Hueristics can be used to limit the listing of like events. Users can now use this page to Triage the bad behavior in their time series events. The picture below summarizes my words.

The next update is that I finally put in an introduction page as the main page of the app. The Spunk Essentials apps convinced me that this is the right thing to do. The introduction page provides some details on how to use the app, which should take 10 seconds to learn and it has links to all the dashboards in the app with descriptions. This allows easier navigation. Of course, the Dashboard menu button at the top of the app also contains menu links to all the dashboards in the app. See the picture below.

Finally, I used the same approach as the Easy Triage Dashboard for all other dashboards in the app. All dashboards have an index dropdown and some have metadata that you can pick such as source, sourcetype, and host. This minimizes typing and lets you focus on the keyword to search for simple analytics.

Give it try by downloading the latest version of Keyword from Splunkbase, and Happy Splunking!

Nimish Doshi
Posted by

Nimish Doshi

Nimish Doshi is a Principal Systems Engineer with Splunk and has been active on Splunkbase content creation and writing Splunk blogs entries for a number of years.

 

Join the Discussion