Event Calendar Custom Visualization

A while back, I wrote a blog post about using a custom calendar visualization in Simple XML dashboards.  To accomplish this, I used a technique sometimes referred to as escape hatching JavaScript into Simple XML.    While this works okay for a developer, the technique does not lend itself well to the end user.

Splunk Custom Visualizations

Splunk 6.4 introduced reusable custom visualizations which allows a developer to package up a visualization and integrate it into Splunk just like the native visualizations.  This also addresses the limitation mentioned above – meaning any end user can use the visualization without mucking around with the Simple XML.

So, revisiting the older escape hatch calendar technique, I thought it would be a good exercise to convert the calendar into a custom visualization.  The calendar is now available on Splunkbase, and several new features have been added.

Using the Calendar in Splunk

The calendar expects a search exposing _time and a count.  The timechart search command does a good job of this.  For example, the following search:

index=_internal | timechart span=1d dc(sourcetype) AS sourcetypes dc(source) as sources dc(host) as hosts

produces some nice tabular data like so:

calendar_tabular

The calendar visualization can take this data and visualize it on a calendar like this:

calendar_blog

There are some formatting options as well.

calendar_format

Try it out yourself and go download it on Splunkbase.

Special shout-out to the Summer Interns who helped… Yue Kang, Nic Stone, and Phillip Tow!

 

Looks really interesting. Unfortunately, when I try it, I get ” Failed to load source for Calendar visualization.”

scott
November 1, 2016

Hay Jason,

Looks like a great visualisation… i was playing around with some pieces with the new timeline viz to look at a schedule of a day based on event…. some of those events are different running times & the specific results only span 2/3 days ….

so,
1. is there a way it could so each result on the calendar as its ‘duration’ so each result is specific to a start & end time?
2. the calendar vis doesn’t snap to the daterange i’ve got my search running as and i have to manually ‘flick’ back to those days or week…

November 2, 2016

@scott the Splunk 6.5 is required for this visualization. Is that the version you have?

Jason Conger
November 2, 2016

OK. Didn’t realize 6.5 was required. Thanks.

scott
November 2, 2016

@Paul McDonough
1) Good idea. The events do have an end date/time which is currently calculated by the span (1d, 1h, 1m, etc.) provided in the search. It would be trivial to look for a duration field and use this if present.
2) Another good idea. The calendar defaults to the current date, but that can be changed so that it defaults to the first or last day in the results instead.

Jason Conger
November 2, 2016