Advanced Dashboards & Visualizations - Labs: Dashboard in The Course App

Advanced Dashboards & Visualizations – Labs
Overview
Welcome to the Splunk Education lab environment. These exercises will guide you through the process
of creating a set of dashboards, forms, and visualizations. If you get stuck, consult the example
dashboard in the course app.
IMPORTANT: Save all knowledge objects in the Advanced Dashboards & Visualizations app with
permissions set to private. Also, when editing XML type the text manually or copy it from
the dashboard editor —not this document. Character formatting and artifacts created by
the PDF generation process can cause errors in the XML.
Visualization Editor Icons
Search Properties Visualization Visualization Formatting

• Search Properties: indicates the panel's document type –a magnifying glass for a panel
based on a search, pivoting arrows for a pivot, or a sheet of paper for a search- or pivot-
based report. Select this to modify the panel's search or report.
• Visualization: indicates the type of visualization displayed on the panel. Select this to specify
the type of visualization displayed.
• Visualization Formatting: Select this to specify options for the selected visualization. The
options available depend on the visualization selected.
Typographical Conventions
• Blue text highlighting indicates add text.
• Red text highlighting indicates remove text.
• Grey text provides placement information.
Lab Connection Info

You can write lab connection information (provided by your instructor) in the spaces below.
Class Number:
Splunk Web URL:
Splunk Web username:
Splunk Web password:
Source Types
The two source types used in these exercises are referred to by the type of data they represent.
Type Source type Interesting Fields

Online transactions access_combined action, bytes, categoryId, clientip, itemId, JSESSIONID, price,
productId, product_name, referer, referer_domain, sale_price,
status, user, useragent
Retail sales vendor_sales AcctID, categoryId, product_name, productId, sale_price, Vendor,
VendorCity, VendorCountry, VendorID, VendorStateProvince
© 2016 Splunk Inc. All rights reserved. Advanced Dashboards & Visualizations November 20, 2016 1
Lab Exercise 1 – Create a Prototype
Description
Create a dashboard prototype based on the use case and wireframe. The prototype will use basic
searches and visualizations.
IMPORTANT: Perform all searches and save all knowledge objects in the Advanced Dashboards &
Visualizations course app.
Scenario: The sales team wants a dashboard that displays information about web store server health.
It should have panels that display the following:
- Chart of purchases and lost sales
- Table of most common web server errors by host
- Chart of all web server errors by host
- Map of web server errors by location
Working Example: Adv. Dash. & Visualizations > Lab Examples > Lab 1 - Create a Prototype
Example:
Naming Conventions
Define naming conventions for your knowledge objects early in the development process. Doing so will
avoid confusion later. This becomes especially important when creating multiple iterations of views and
reports. For the following tasks, consult the table below when naming objects.
Scope Definition Convention

Working Group Corresponds to the working group of the user saving the search bcg
Category Corresponds to the area of concern webstore
Object Type Indicates the type of knowledge object report, dash, panel
Description Short, meaningful server_errors
Example bcg_webstore_report_server_errors
Steps
Task 1: Change the account name and time zone.
1. Log into the class lab server.
For example, http://class.server-name.splunk.com
2. Change your account settings:
• Full name: <first initial and last name>
For example: rrice
• Time zone: <your local time zone>
• Default app: advdash
Task 2: Create a dashboard with a panel that shows online purchases and lost sales.
NOTE: A lost sale is defined as when an item is removed from a customer's cart.
3. Search online transactions for purchases or lost sales events over the last 30 days.
Hint: action=remove, action=purchase
4. Calculate the total value of sales as totalSales by action and product_name. Then, view the results as
both a statistics table and column chart visualization.
5. Ensure product_name is on the x-axis, action identifies the series, and totalSales is on the y-axis.
Hint: xyseries command
6. Rename product_name as Product Name, remove as Lost Sales, purchase as Purchases, and
display the results as a column chart.
7. Save the search as a report and add it to a new dashboard:
• Report Title: bcg_webstore_report_purchases_vs_lost_sales
• Dashboard Title: Version 1 - Web Store Server Errors
• Dashboard ID: bcg_webstore_dash_v1_server_errors
• Dashboard Permissions: Private
• Panel Title: Purchases & Lost Sales
• Panel Powered By: Report
8. Open the dashboard in edit mode.
9. Format the panel visualization to display a stacked column chart with the legend on the bottom.
10. Save the dashboard changes.
Example:
Task 3: Add a table of most common web server errors by host.
11. Search online transactions for all HTTP status errors over the last 30 days.
Hint: status>399
12. Count errors by host and status.
13. Limit results to only the top three errors.
14. Remove the grouping called OTHER.
15. Save the search as a report and add it to your Version 1 - Web Store Server Errors dashboard:
• Report Title: bcg_webstore_report_common_errors_by_host
• Dashboard: Version 1 - Web Store Server Errors
• Panel Title: Most Common Errors by Host
• Panel Content: Statistics Table
Example:
Task 4: Add a time series chart of all web server errors.

16. Search online transactions for HTTP status errors over the last 30 days.
17. Plot a count of action values by host over time.
18. Save the search as a report and add it to your Version 1 - Web Store Server Errors dashboard:
• Report Title: bcg_webstore_report_all_errors_by_host
• Panel Title: All Errors by Host
19. Format the All Errors by Host panel to display a line chart with the legend on the bottom.
20. Position panel on the right of the Most Common Errors by Host panel.
Example:
Task 5: Add a map of web store server error locations.

22. Search online transactions for all client IP addresses and HTTP error codes for the last 30 days.
Hint: status>399
23. Eliminate duplicate client IP addresses and hosts.
24. Extract location information from IP addresses and add the prefix cip_ to the clientip field.
Hint: iplocation command
25. Generate a cluster map based on ip location and count events by status.
26. Save the search as a report and add it to an existing dashboard:
• Report Title: bcg_webstore_report_status_errors_by_location
• Panel Title: All Status Errors by Location
• Panel Content: Cluster Map
27. View the dashboard and make sure it matches the example.
Example:
Task 6: Create prebuilt panels.
28. Click Edit.
29. Click the options menu icon on the Most Common Errors by Host panel, and select Convert to
Prebuilt Panel.
• ID: bcg_webstore_panel_<panel_title>
Example: bcg_webstore_panel_most_common_errors_by_host
• Permissions: Private
30. Click Apply.
31. Click OK to confirm.
32. Repeat the above steps to convert two other panels:
• All Errors by Host
• All Status Errors by Location
34. Navigate to: Settings > User Interface > Prebuilt Panels.
35. In the Owner dropdown, select your name.
36. In the App dropdown, select Advanced Dashboards & Visualizations (advdash).
37. Make sure all three of your prebuilt panels are listed:
• bcg_webstore_panel_all_errors_by_host
• bcg_webstore_panel_all_status_errors_by_location
• bcg_webstore_panel_most_common_errors_by_host
Example:
Challenge Lab Exercise (optional)
Create a Data Model
This challenge lab walks you through the process of creating a data model that can be accelerated. You
must first complete this challenge lab exercise if you intend to do the lab 3 challenge lab.
Example:
Task 1: Create a data model.

NOTE: Since this is a power-user environment, you will append your student number to the data
model ID to distinguish it from other data models. For example, bcg_dm_ws_student7.
1. Select Settings > Data models.

2. Click New Data Model and enter the following settings:
• Title: bcg dm ws <studentX>
• ID: bcg_dm_ws_<studentX>
• App: Advanced Dashboards & Visualizations
3. Click Create.
4. Add a root event dataset.
• Dataset Name: bcg dm ws root event
• Dataset ID: bcg_dm_ws_root_event
• Constraints: index=main sourcetype=access_combined
5. Preview events to verify the constraint is working properly, then save it.
Task 2: Add auto-extracted fields.
6. Select Add Field > Auto-Extracted.

7. Select four auto-extracted fields:
• action
• price
• product_name
• status
8. Click Save.
Task 3: Add eval expression fields for NULL values.

NOTE: Searches against this data model require all fields identified in the data cube to have a value.
When using a data model as part of a global search, this is best practice.
9. Select Add Field > Eval Expression.
10. Add an eval expression for the action field:
• Eval Expression: if(isnull(action),"NULL",action)
• Field Name: action1
• Display Name: action1
11. Preview events to verify the field is working properly; then save it.
12. Click Save.
13. Create two more eval expression attributes for NULL values, using the same naming conventions,
for these fields:
• price
• product_name
HINT: The price field type is numeric.
Task 4: Test your data model.

14. Using the datamodel command, search the data model's root event over the last 24 hours.
Hint: The datamodel command is a generating command. It should be preceded with a pipe.
15. Use the fields command to display all fields in the data model.
Hint: The datamodel fields are prefixed with: bcg_dm_ws_root_event
16. Examine the field values in the sidebar of the action*, price*, and product_name* fields.
Example on next page.
Example:
Questions
Question 1: What is the difference between the values of:
bcg_dm_ws_root_event.action and bcg_dm_ws_root_event.action1?
__________________NULL values appear in action1____________________________

bcg_dm_ws_root_event.price and bcg_dm_ws_root_event.price1?
__________________NULL values appear in price1______________________________

bcg_dm_ws_root_event.product_name and bcg_dm_ws_root_event.product_name1?
__________________NULL values appear in product_name1______________________
Lab Exercise 2 – Add Interactivity
Description
In this exercise you will use tokens to create cascading inputs that define a chart's search.
IMPORTANT: Perform all searches and save all knowledge objects in the Advanced Dashboards &
Visualizations course app.
Scenario: The sales team is impressed with the new server errors dashboard. They would like to add a
form to their app. The form should display a column chart of vendor data based on user input
for country, state or province, and city.
Working Example: Adv. Dash. & Visualizations > Lab Examples > Lab 2 - Add Interactivity - Example
Example:
Steps
Task 1: Create a form.
1. In the Lab Searches menu, click the search icon for Lab 2 - Search 1.
NOTE: The search is not intended to display results at this point. This is expected.
2. Save the search as a panel on a new dashboard:
• Dashboard: New
• Dashboard Title: Version 1 - Vendor Sales Analysis
• Dashboard ID: bcg_vendor_form_sales_analysis_v1
• Panel Title: All Vendor Sales
• Panel Powered By: Inline Search
3. Save, then view the dashboard.
NOTE: The panel will not populate until after you’ve added inputs in the next series of tasks.
Task 2: Add a token filter for quotes.
4. Click Edit.
5. Click the panel's search properties icon.
6. Click Edit Search.
7. Revise each of the three tokens to include a filter to wrap the value in quotes.
sourcetype=vendor_sales VendorCountry=$v_country_tok|s$
VendorStateProvince=$v_state_tok|s$ VendorCity=$v_city_tok|s$ | timechart count
8. Click Apply.
Task 3: Add a menu input for country.
9. Click Edit.
10. Click +Add Input > Dropdown.
11. Click the Edit Input icon (pencil) and add the following settings:
General
• Label: Country
• Select: Search on Change
Token Options Example:
• Token: v_country_tok
Static Options
• Name: All
• Value: *
Dynamic Options
• Search String: sourcetype="vendor_sales" | stats
count by "VendorCountry"
• Time Input: Last 7 Days
• Field For Label: VendorCountry
• Field For Value: VendorCountry
Token Options
• Default: All
12. Click Apply, then click in the Country input and make sure a list of countries displays.
NOTE: If the input is not working, save the dashboard and refresh the browser. Also, check its settings
and search for typos.
Task 4: Add a menu input for state/province.
13. Click +Add Input and select Dropdown.

General
• Label: State/Province
Token Options
• Token: v_state_tok
Static Options
• Name: All
• Value: *
Dynamic Options
• Search String: sourcetype="vendor_sales" VendorCountry=$v_country_tok|s$ |
stats count by "VendorStateProvince"
• Field for Label: VendorStateProvince
• Field for Value: VendorStateProvince
Token Options
• Default: All
15. Click Apply, then click in the State/Province input and make sure a list of states/provinces displays.
NOTE: If the input is not working, check its settings and search for typos.
Example:
Task 5: Add a menu input for City.
16. Click +Add Input and select Dropdown.

General
• Label: City
• Select Search on Change
Token Options
• Token box: v_city_tok
Static Options
• Name: All
• Value: *
Dynamic Options
• Search String: sourcetype="vendor_sales" VendorCountry=$v_country_tok|s$
VendorStateProvince=$v_state_tok|s$ | stats count by "VendorCity"
• Field for Label: VendorCity
• Field for Value: VendorCity
Token Options
• Default: All
18. Click Apply, then click in the City input and make sure a list of cities displays.
19. Change the All Vendor Sales panel visualization to a Column chart.
20. Save the dashboard and reload your browser window.
Task 6: Test the form inputs.
21. Select a Country, State/Province, and City.

• Chart not displaying?
– Reload/refresh your web page and try again.
• Form input(s) not filtering properly?
– Look at the settings for typos. Check the XML, where errors may be more obvious.
Example:
Lab Exercise 3 – Improve Performance
Description
In this exercise you will improve dashboard performance by creating and scheduling reports. Then,
improve it further by creating a global search and accelerating it.
IMPORTANT: When editing the simple XML, type the text manually or copy it from the dashboard editor
—not this document. Character formatting and artifacts created by the PDF generation
process can cause errors in the XML.
Scenario: The stakeholders have approved the prototype dashboard, with some requested changes:
- Make the dashboard load faster.
- Reduce the search load from this dashboard.
- Add two panels to show the dollar amount of purchases and lost sales in the past month.
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 3 - Improve Performance - Example
Example:
Steps
Task 1: Accelerate and schedule your reports.
1. Navigate to: Settings > Searches, reports, and alerts

2. Make sure the App context is set to: Advanced Dashboards and Visualizations (advdash)
3. In the Owner dropdown, select your name.
4. Open three of your reports:
• bcg_webstore_report_all_errors_by_host
• bcg_webstore_report_common_errors_by_host
• bcg_webstore_report_purchases_vs_lost_sales
5. Select: Accelerate this search
6. Set summary range to: 1 month
7. Select: Schedule this search.
8. Set schedule for:
• Schedule type: Basic
• Run every: day at midnight
• Schedule Window: 15
Questions
Question 1: Why is acceleration not possible for bcg_webstore_report_status_errors_by_location?
_______________________________________________________________________
Question 2: What, if any, change(s) would be required to accelerate it?

_______________________________________________________________________
9. Schedule the bcg_webstore_report_status_errors_by_location report with the same settings:

• Schedule type: Basic
• Run every: day at midnight
• Schedule Window: 15
Task 2: Create a new dashboard.
10. Navigate to the Advanced Dashboards & Visualizations app.
12. Save the search as a panel and add it to a new dashboard:
• Dashboard: New
• Dashboard ID: bcg_webstore_dash_v2_server_errors
• Panel Title: Base Search
Task 3: Add a base search.
14. Open the Splunk XML Editor.
15. Locate the Base Search panel's search query.
16. Delete the opening and closing <row>, <panel>, <table> and <title> tags and all the options.
<dashboard>
<label>Version 2 - Web Store Server Errors</label>
<row>
<panel>
<title>Base Search</title>
<table>
<search>
...
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
17. Add an ID to the opening <search> tag: <search id="baseSearch">
<dashboard>
<search id="baseSearch">
...
18. Save the XML changes.
Task 4: Add a chart that uses a post-process search.
NOTE: This is a post-process search. It will not display results in the search view. This is normal
and expected.
20. Save the search as a panel and add it to an existing dashboard:

• Panel Title: Purchases & Lost Sales
23. Locate the XML for the Purchases & Lost Sales panel.
24. Add an ID to the opening <search> tag: <search base="baseSearch">
...
<panel>
<title>Purchases & Lost Sales</title>
<table>
<search base="baseSearch">
<query>
...
25. Delete the Purchases & Lost Sales panel's earliest, latest, and sampleRatio tags.
...
</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
...
27. Format the panel to display a column chart in stacked mode with the legend on the bottom.
Example:
Task 5: Add a single value panel with a post-process search.
and expected.

• Panel Title: Purchases
33. Locate the XML for the Purchases panel.
...
<panel>
<title>Purchases</title>
<table>
<query>search product_name!=NULL action=purchase
| stats sum(price) as Purchases</query>
...
35. Delete the Purchases panel's earliest, latest, and sampleRatio tags.
...
<query>search product_name!=NULL action=purchase
| stats sum(price) as Purchases</query>
</search>
...

37. Format the Purchases panel's visualization to display
as single value with the following settings:  
• Caption: Last 30 Days
• Use Colors: Yes
• Color Mode: No background
• Color Ranges:
– from min - 1000, red (d93f3c)
– from 1000 - 2000, yellow (f7bc38)
– from 2000 - max, green (65a637)
• Number Format:
– Unit: $
– Unit Position: Before
Example:
Task 6: Add a second single value panel with a post-process search.
and expected.
• Panel Title: Lost Sales
43. Locate the XML for the Lost Sales panel.
...
<title>Lost Sales</title>
<table>
<query>search product_name!=NULL action=remove
| stats sum(price) as LostSales</query>
...
45. Delete the Lost Sales panel's earliest, latest, and sampleRatio tags.
...
</query>
</search>
...
46. Delete the closing row tag and opening row tags between the single value panels.
...
</single>
</panel>
</row>
<row>
<panel>
<table>
...
48. Format the Lost Sales panel's visualization to display
as a single value with the following settings:
• Caption: Last 30 Days
• Use Colors: Yes
• Color Ranges:
– from min - 1, green (#65a637)
– from 1 - 1000, yellow (#f7bc38)
– from 1000 - max, red (#d93f3c)
• Number Format:
– Unit: $
– Unit Position Before
Example:
Task 7: Add prebuilt panels.
50. Enter dashboard edit mode.

51. Click +Add Panel > Add Prebuilt Panel.
52. Click Most Common Errors by Host.
53. Click Add to Dashboard.
54. Repeat the above steps for two other prebuilt panels:
55. Close the Add Panel sidebar.
56. Position the All Errors by Host panel to the right of Most Common Errors by Host.
Task 8: Convert prebuilt panels to inline panels driven by inline searches.
57. On the Most Common Errors by Host panel, click the Options icon.
58. Select Convert to Inline Panel.
59. Click Convert.
60. Click the Search Report icon.
61. Select the panel's report name, and click Clone to an Inline Search.
62. Click Clone to Inline Search.
63. Repeat the above steps for the remaining prebuilt panels:
Task 9: Add two post-process searches.

65. Locate the XML for the Most Common Errors by Host panel.
67. At the beginning of the query, add the word: search
...
<panel>
<title>Most Common Errors by Host</title>
<table>
<query>search sourcetype=access_combined status>399
| chart count by host, status limit=3 useother=f</query>
...
68. Remove the earliest and latest tags.
...
</query>
</search>
...
69. Locate the XML for the All Errors by Host panel, and repeat the above steps.
70. Save the XML changes and make sure all panels populate with data.
Example:
Task 10: Clear search jobs.
71. Open the Jobs page.
72. Make sure the App context is set to: Advanced Dashboards & Visualizations
73. Make sure the Owner is set to your name.
74. Delete your search history.
Task 11: Accelerate the global search.
76. Select Lab Dashboards > Version 2 - Web Store Server Errors.
77. Wait for all the panels to populate.
78. Return to the Jobs page.
81. Note the runtime for the base search.
___________________________________________________________________
NOTE: The base search begins with: | tstats summariesonly=f count from datamodel...
82. Return to the Version 2 - Web Store Server Errors dashboard.

83. Open the Splunk XML editor.
84. Update the base search's query to use the tstats argument summariesonly=t and the
bcg_dm_ws_xl accelerated data model.
...
<query>| tstats summariesonly=t count from
datamodel="bcg_dm_ws_xl" by _time, host, sourcetype,
...
NOTE: The summariesonly argument only applies when using tstats against an accelerated data
model. When set to true, 'tstats' only generates results from the TSIDX data that has been
automatically generated by the acceleration.

87. Return to the Jobs page.
90. Make a note of the run time for the revised base search.
______________________________________________________________________
NOTE: The revised base search begins with: | tstats summariesonly=t count from
datamodel="bcg_dm_ws_xl"
91. Compare the two search run times. Consider percentage of difference in the times.
Use Your Accelerated Data Model
This exercise walks you through the process of accelerating the data model you created in the lab 1
challenge lab exercise. If you have not already completed that challenge lab, go back and finish it.
Then, return here.
IMPORTANT: Accelerating a data model requires administrator-level access. For the purposes
of this exercise you have been given this particular privilege.
Data model acceleration should be reserved for data models that are heavily used.
Summaries take up space, and sometimes a significant amount of it, so it's important
to avoid overuse of data model acceleration.
After you enable acceleration for a data model, Splunk begins building summaries
that span the range you've specified. It builds them in indexes with events that
contain the fields specified in the data model.
Splunk runs a search every 5 minutes to update existing summaries. It runs a
maintenance process every 30 minutes to remove outdated summaries. These
settings can be adjusted by a Splunk Administrator.
Task 1: Accelerate your data model.

NOTE: The data model acceleration requires ~5 minutes to complete. Make sure Acceleration
Status displays: 100% Completed before continuing to task 3.
1. Navigate to: Settings > Data Models.

4. Locate the data model you created in the lab 1 challenge lab exercise.
5. In the Actions column, click Edit > Edit Permissions
6. Select Display for App.
7. Select Read for Everyone.
8. Select Write for power.
9. Click Save.
10. In the Actions column, click Edit > Edit Acceleration.
11. In the Edit Acceleration dialog, click Accelerate.
12. In the Summary Range dropdown, select 7 Days.
13. Click Save.
14. Click the arrow beside the data model's name to see status,
size, and other statistics.
Task 2: Clear search jobs.

16. Open the Jobs page.
19. Select all searches, and click Delete.
20. Click Delete to confirm.
21. Repeat the above steps until all jobs have been deleted.
Task 3: Revise the base search.
22. Return to the Version 2 - Web Store Server Errors dashboard.

23. Open the Splunk XML editor.
24. Update the global search's query to use your data model by changing the id referenced to:
bcg_dm_ws_<studentX>. For example, bcg_dm_ws_student7
...
<query>| tstats summariesonly=t count from
datamodel="bcg_dm_ws_<studentx>" by _time, host, sourcetype,
...

NOTE: After saving the XML, if your panels show the message: "Error in "TsidxStats': Could not
find datamodel.", look for typos in the XML. Compare the spelling of the data model ID in the
XML to the actual data model ID spelling.
27. Return to the search jobs page and make a note of the run time for the base search.
______________________________________________________________________
28. Compare the search time to the base search run time that used un-accelerated datamodel. Consider
percentage of difference in the times.
Lab Exercise 4 – Customizing Dashboards
Description
Once you have a high-performance dashboard that displays the data your stakeholders require, make
UI customizations.
IMPORTANT: When editing XML type the text manually or copy it from the dashboard editor —not this
document. Character formatting and artifacts created by the PDF generation process can
cause errors in the XML.
Scenario: The stakeholders have approved the higher-performance dashboard. Now they'd like a few
UI customizations, including:
- Use the company's brand colors for the chart of purchases and lost sales.
- Hide the search controls for all the panels.
- Set the refresh time for the panels.
- Change the server table's cell colors to match severity of the value shown.
- Change the marker map to display bubbles instead of pies.
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 4 - Customizing Dashboards - Example
Example:
Steps
Task 1: Customize chart colors.
1. Navigate to the Version 2 - Web Store Server Errors dashboard.
2. Clone the dashboard.
• Title: Version 3 - Web Store Server Errors
Note: Remove the word Clone from the end of the title.
• ID: bcg_webstore_dash_v3_server_errors
3. View the cloned dashboard.
5. Locate the option tags for the Purchases & Lost Sales panel.
6. Add a charting.fieldColors property to set the Purchases to orange (0xEFC94C) and the Lost Sales
field to red (0xED553B).
...
<option name="charting.legend.placement">bottom</option>
<option name="charting.fieldColors">{"Purchases":0xEFC94C,"Lost
Sales":0xED553B}</option>
</chart>
</panel>
</row>
...
8. Make sure the Purchases & Lost Sales panel's colors have changed to orange and red.
Task 2: Hide search controls.
9. Open the XML Editor.
10. Locate the option tags for the Purchases & Lost Sales panel.
11. Add chart properties to hide the following panel link buttons.
For example: <option name="refresh.link.visible">0</option>
Refresh Link refresh.link.visible
Inspect button link.inspectSearch.visible
Export Results button link.exportResults.visible
Open Search button link.openSearch.visible
NOTE: These are boolean properties.

...
<option name="charting.fieldColors">{"Purchases":0xEFC94C,"Lost Sales":0xED553B}</option>
<option name="refresh.link.visible">0</option>
<option name="link.inspectSearch.visible">0</option>
<option name="link.exportResults.visible">0</option>
<option name="link.openSearch.visible">0</option>
</chart>
...
12. Add these properties to the remaining panels.
14. Make sure the panel link buttons for each panel display only the Display Refresh Time.
Task 3: Set the panel refresh indicator.
15. Open the dashboard editor.

16. On the Purchases & Lost Sales panel, click the search properties icon.
17. Select Edit Search.
18. In the Refresh Indicator dropdown, select None: Background Search with No Progress Bar.
19. Click Apply.
20. Repeat the above steps for the following panels
• Purchases
• Lost Sales
• Most Common Errors by Host
21. On the All Status Errors by Location panel, click the search properties icon.
23. Notice the additional options: Time Range Scope, Time Range, and Auto Refresh Delay. These are
visible because this panel is not driven by a post-process search. For panels that use a post process
search, such as the other panels on this dashboard, these settings are made by editing the XML.
24. In the Refresh Indicator dropdown, select None: Background Search with No Progress Bar.
25. Click Apply.
Task 4: Set the panel refresh time.

27. Open the XML editor.
28. Locate the XML for the base search.
29. Add the refresh element with a time setting of 5 minutes.
<refresh>5m</refresh>
</search>
<row>
30. Save XML changes.
NOTE: Panels using post process searches will now automatically refresh when the base search
is refreshed.

32. On the All Status Errors by Location panel, click the search properties icon.
34. In the Auto Refresh Delay dropdown, select 5 minutes.
35. Click Apply.
Task 5: Add column summaries and cell colors.

38. On the Most Common Errors by Host, click the table format icon.
39. Click the Summary tab.
40. Select Percentages: Yes and close the window.
41. Click the format icon for the first status column.
42. Click the Color tab.
43. In the colors dropdown, select Scale.
44. In the Presets dropdown, select the Sequential, white to red.
45. Repeat the above steps for the two remaining status columns.
Example:
This exercise walks you through the process of making the cluster map display bubbles instead of pie
charts. The bubbles will be assigned colors using a rangemap and scale in size based on event counts.
Task 1: Search for web store server error locations.
1. Search online transactions for all client IP addresses and HTTP error codes for the last 30 days.
Hint: status>399
2. Eliminate duplicate client IP addresses and hosts.
3. Extract the IP location for each error.
Hint: iplocation
4. Count the total number of events for each location and store as TOTAL
Hint: geostats
Task 2: Add a rangemap.

5. Create a new field for each location called SEVERE. If the value of TOTAL is greater than or equal to
100, set SEVERE to the value in the TOTAL field. Otherwise, set it to 0.
6. Create a new field for each location called ELEVATED. If the value of TOTAL is greater than or equal
to 50 and less than 100, set ELEVATED to the value in the TOTAL field. Otherwise, set it to 0.
7. Create a new field for each location called LOW. If the value of TOTAL is less than 50 set LOW to the
value in the TOTAL field. Otherwise, set it to 0.
8. Remove the TOTAL field, so you can plot the SEVERE, ELEVATED, and LOW not a TOTAL.
9. Save the search as a report:

• Title: bcg_webstore_report_errors_by_location_custom
• Description: Bubble markers
10. Save and view the report.
Task 3: Add a property to the map visualization's XML.
11. Navigate to the Version 3 - Web Store Server Errors dashboard.

13. Locate the XML for the All Status Errors by Location panel.
14. Revise the search element to use the new report and refresh every 5 minutes:
...
<panel>
<title>All Status Errors by Location</title>
<map>
<search ref="bcg_webstore_report_errors_by_location_custom">
<refresh>5m</refresh>
</search>
<option name="drilldown">all</option>
...
15. Add the mapping.fieldColors property to set the map's bubble colors to green (0x339966), yellow
(0xFFCC99), red (0xCC6633).
...
<option name="mapping.type">marker</option>
<option name="refresh.display">none</option>
<option name="refresh.link.visible">0</option>
<option name="mapping.fieldColors">{LOW:0x339966,ELEVATED:0xffCC99,SEVERE:0xCC6633}</option>
</map>
</panel>
</row>
</dashboard>
...
17. Make sure the panel has updated to bubble markers.
Example:
Lab Exercise 5: Use Event Handlers
Description
In this exercise you will use the <selection> and <set> elements to capture a time range from one chart
and apply it to another chart on the same dashboard. This is referred to as a Pan & Zoom. Then, you'll
add a dynamic drilldown form the Sales by Category bar chart to a new form.
Scenario: The sales team likes the Vendor Sales Analysis form. They want to add a bar chart of sales
by category based on user input from the cascading menus and a time range selection on
the column chart.
They also want to add a dynamic drilldown to the sales by category bar chart that takes
users to a different form displaying information based on which category in the chart
was clicked.
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 5 - Use Event Handlers - Example
Example:
Task 1: Add the Sales by Category chart.
1. Navigate to the Version 1 - Vendor Sales Analysis dashboard.

2. Clone the dashboard and use these settings:
• Title: Version 2 - Vendor Sales Analysis
Note: Remove the word Clone at end of title.
• ID: bcg_vendor_form_sales_analysis_v2
NOTE: The search is not intended to display results at this point. This is normal and expected.

• Dashboard Title: Version 2 - Vendor Sales Analysis
• Panel Title: Sales by Category
7. Change the Sales by Category panel visualization to a Bar chart.
Task 2: Add a token filter for quotes.
8. Click the Sales by Category panel's search properties icon.

9. Click Edit Search.
10. Revise each of the three tokens to include a filter to wrap the value in quotes.
sourcetype=vendor_sales VendorCountry=$v_country_tok|s$
VendorStateProvince=$v_state_tok|s$ VendorCity=$v_city_tok|s$ | top categoryId
| rename categoryId as Category
11. Click Apply.
Task 3: Merge the visualizations to one panel.

13. Delete five tags between the two charts: the closing panel tag, closing row tag, opening row, opening
panel tag, and panel title tag.
...
</chart>
</panel>
</row>
<row>
<panel>
<title>Sales by Category</title>
<chart>
...
Task 4: Add a visualization event handler.
14. Locate the XML for the All Vendor Sales chart.
15. Add the following <selection> XML before the closing </chart> tag:
...
<option name="charting.chart">column</option>
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
</selection>
</chart>
...
16. Locate the XML for the bar chart.
17. Delete the sampleRatio element.
18. Replace the existing earliest and latest settings with predefined, time selection tokens.
...
</query>
<earliest>$selection.earliest$</earliest>
<latest>$selection.latest$</latest>
</search>
...
Task 5: Test the cascading menus and event handler.
21. Reduce the time range by clicking and dragging on the All Vendor Sales visualization.
22. Notice the bar chart update after making a selection on the All Vendor Sales column chart.
Example:
Task 6: Add a dynamic drilldown.
24. Locate the XML for the bar chart visualization.
25. Add the following <drilldown> and <link> XML below the option tags:
...
<option name="charting.chart">bar</option>
<drilldown>
<link>
<![CDATA[/app/advdash/bcg_vendor_sales_drilldown_dest?form.catego
ryId=$click.value$&earliest=$earliest$&latest=$latest$]]>
</link>
</drilldown>
</chart>
</panel>
</row>
</form>
NOTE: If you copy and paste the above text watch for extra spaces.

Task 7: Create a drilldown destination form.
NOTE: This search is not intended to display results at this point. This is normal and expected.
28. Save the search as a panel and add it to a new dashboard.

• Dashboard Title: Sales Drilldown Destination
• Dashboard ID: bcg_vendor_sales_drilldown_dest
Important: Use this exact dashboard ID name.
• Panel Title: Sales Trend: $categoryId$
• Panel Power by: Inline Search
NOTE: This dashboard will not display results until an input is added in the next task.
Task 8: Add a text input.

31. Add a text input and use the following settings:
General
• Label: Enter a category name:
• Token: categoryId
• Default: *
32. Click Apply.
Task 9: Add a time input.
33. Add a time input and use the following settings:

Token Options
• Token: Delete the default token. Leave empty.
• Default: Last 30 Days
NOTE: This time input will not display the new default time range until the dashboard changes
are saved.
34. Click the search properties icon on the Sales Trend panel.
36. In the Time Range Scope dropdown, select: Shared Time Picker (global).
37. Click Apply.
38. Save the dashboard.
Task 10: Test the dynamic drilldown.
39. Select Lab Dashboards > Version 2 - Vendor Sales Analysis
41. Reduce the time range by clicking and dragging on the All Vendor Sales chart.
42. Click one of the categories on the bar chart.
The drilldown destination form should open and populate with the category you clicked on, and the
time range should display the custom time range value passed from the Version 1 - Vendor Sales
Analysis form.
Example:
Add a selected time range to the panel title.
In your dashboard you have a pan & zoom that shows a selection in the top panel visually. Yet the bar
chart doesn't show the time range. Using tokens to add the selected time range to the bar chart's title is
an easy way to show this.
Example:
Task 1: Add a selected time range to the visualization's title.
1. Select Lab Dashboards > Version 2 - Vendor Sales Analysis.

3. Locate the All Vendor Sales <selection> tag.
4. Set two additional tokens in the <selection> group, one for the earliest selected time and one for the
latest selected time.
<option name="charting.chart">column</option>
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
<eval token="fromDate">strftime($selection.earliest$,"%m/%d/%y")</eval>
<eval token="toDate">strftime($selection.latest$, "%m/%d/%y")</eval>
</selection>
5. Locate the bar chart XML.
6. Add a title with two tokens to the chart visualization.
...
</selection>
</chart>
<chart>
<title>Sales by Category for $fromDate$ to $toDate$</title>
<search>
...
Task 2: Test the new panel title.

9. Reduce the time range by clicking and dragging on the All Vendor Sales chart. The Sales by
Category panel title should reflect the dates of the selection. If not, check for XML typos.
Lab Exercise 6 – Add Advanced Visualizations
Description
In this exercise you will use simple XML extensions to add advanced visualizations and behaviors to a
dashboard. The dashboard will include a horizon chart. A horizon chart is similar to an area chart that is
restricted to a smaller vertical space. Portions of the chart that fall above or below the defined area are
shown in shades of the main color or different colors.
Scenario: The web marketing team has seen the sales team's web store server errors dashboard and
would like something similar but with a greater emphasis on status errors. The dashboard
should allow users to select a time range, and locations by country or city.
It should have panels that display metrics for the following:
- Global server errors
- Global status errors over time
- Server errors by country
- Server errors by city
- Top 10 status errors
- Top 10 status errors by day of week
Working Example: Adv. Dash. & Vis. > Lab Examples > Lab 6 - Add Advanced Visualizations - Example
Example:
Steps
Task 1: Create a new dashboard.
2. Display the results as a Single Value visualization.
3. Save the search as a panel on a new dashboard:
• Dashboard Title: Version 1 - Mktg - Web Server Errors
• Dashboard ID: mktg_web_dash_server_errors_v1
• Permissions: Private
• Panel Content: Single Value
NOTE: You are intentionally leaving the panel title blank.
Example:
Task 2: Add a dropdown input for Country.
5. Use the following settings:

General
• Label: Country
Token Options
• Token: country_tok
Static Options
• Name: All Countries
• Value: *
Token Options
• Default: All Countries
Dynamic Options
• Search String: sourcetype=access_combined | iplocation clientip | stats
count by "Country"
• Field For Label: Country
• Field For Value: Country
6. Click Apply.
7. Click the Country dropdown menu and make sure a list of countries displays.
Task 3: Add a dropdown input for City.
8. Use the following settings:
General
• Label: City
Token Options
• Token box: city_tok
Static Options
• Name: All Cities
• Value: *
Token Options
• Default: All Cities
Dynamic Options
• Search String: sourcetype=access_combined | iplocation clientip | eval City
= if(match(City,"^\w"),City,"unknown") | search Country="$country_tok$"
City!="unknown" | stats count by "City"
• Field For Label: City
• Field For Value: City
9. Click Apply.
10. Click the City dropdown menu and make sure a list of cities displays.
NOTE: If the input is not working, check its settings for typos. Also, reload the web page and try again.
Task 4: Add a time input.

11. Add a time input and use the following settings:
General
• Label: Time
Token Options
• Token: time_tok
• Default: Last 7 Days
12. Click Apply.
Task 5: Add a panel that shows status errors for all locations.

14. Add a visualization title to the panel: All Locations
...
<row>
<panel>
<single>
<title>All Locations</title>
<search>
...
15. Copy the XML for the All Locations panel.
16. Paste the XML on the same row, after the existing All Locations single-value panel.
17. Revise the visualization panel to: Country
18. Add a search command to the query that filters results to the current value of the token:
| search Country="$country_tok$"
...
</single>
</panel>
<panel>
<single>
<title>Country</title>
<search>
<query>sourcetype=access_combined status>399 clientip=*
| iplocation clientip | search Country="$country_tok$"
| timechart count</query>
<earliest>-7d@h</earliest>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
...
</single>
</panel>
Task 6: Add a panel that shows status errors for a selected city.
19. Copy the XML for the Country panel, and paste it on the same row, after the existing Country panel.
20. Revise the visualization panel to: City
21. Revise the search to use the current value of the city token: City="$city_tok$"
...
</panel>
<panel>
<single>
<title>City</title>
<search>
| iplocation clientip | search Country="$country_tok$"
City="$city_tok$" | timechart count</query>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
...
</single>
</panel>
</row>
</form>
22. Delete the opening and closing panel tags between the Country and City visualizations.
...
</single>
</panel>
<panel>
<single>
<title>City<title>
...
The three single-value visualizations should now display on the same row, in two panels.
Example:
Task 7: Revise each visualization's search to use the Shared Time Picker.

25. Click the search properties icon on the All Locations visualization.
27. Select Time Range Scope > Shared Time Picker (time_tok).
28. Click Apply.
29. Repeat the above steps for the two other panels:
• Country
• City
Task 8: Test the tokens.
31. Select a Country, City, and time from the dropdown menus.
32. Verify the Country and City panel values update to reflect your input choices.
Task 9: Format the single-value panels.

34. Format the All Locations visualization with the following settings:
General
• Drilldown: No
• Show Trend Indicator: Yes
• Show Trend in: Percent
• Compared to: Custom > Auto
• Caption: All Server Errors
• Show Sparkline: Yes
Color
• Use Colors: Yes
• Color by: Trend
• Trend Interpretation: Negative values in green
• Color Mode: Block background
35. Format the two remaining single value visualizations,
Country and City, with the following settings:
General
• Drilldown: No
• Show Trend Indicator: Yes
• Show Trend in: Percent
• Compared to: Custom > Auto
• Caption: Server Errors
• Show Sparkline: Yes
Color
• Use Colors: Yes
• Color by: Value
• Ranges:
– from min - 20, green (65a637)
– from 20 - 30, light blue (6db7c6)
– from 30 - 40, yellow (f7bc38)
– from 40 - 50, orange (f7bc38)
– from 50 - max, red (d93f3c)
• Color Mode: Block background
Example:
Task 10: Add a prebuilt panel that displays a table of the top 10 status errors.
36. Add a prebuilt panel: Lab 6 - Top 10 Status Errors

37. Convert the panel to an inline panel.
38. Revise the panel title to be: Top 10 Status Errors
Task 11: Add simple XML extensions for JavaScript and CSS to display a bar in a table cell.

40. Locate the opening <form> tag and add a script reference for table_data_bar.js and
table_data_bar.css:
<form script="table_data_bar.js" stylesheet="table_data_bar.css">
<label>Version 1 - Mktg - Web Server Errors</label>
...
NOTE: These two files have already been uploaded to /appserver/static directory of the course app.
You can find them after class in the Splunk Dashboard Examples app on Splunkbase.
41. Locate the XML for the Top 10 Status Errors table.
42. Add an id to the table opening tag: id="table1"
...
<row>
<panel>
<title>Top 10 Status Errors</title>
<table id="table1"
...
Example:
Task 12: Use simple XML extensions to display a punchcard visualization.
45. Add a prebuilt panel: Lab 6 - Top 10 Server Errors by Day of Week
46. Convert the panel to an inline panel.
47. Revise the panel title to: Top 10 Server Errors by Day of Week
48. Position the panel on the right of the Top 10 Status Errors panel.
50. Locate the <form> tag and add a script reference for autodiscover.js followed by a comma.
<form script="autodiscover.js, table_data_bar.js" stylesheet="table_data_bar.css">
<label>Version 1 - Mktg - Web Server Errors</label>
...
51. Locate the XML for the Top 10 Server Errors by Day of Week panel.
52. Remove the opening and closing <table> </table> tags.
53. Revise the <search> tag to have an id: <search id="punchcard_search">
...
<panel>
<title>Top 10 Server Errors by Day of Week</title>
<table>
<search id="punchcard_search">
| iplocation clientip
| search Country="$country_tok$" City="$city_tok$"
| eval wday=strftime(_time, "%a")
| top wday, description</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
</table>
</panel>
</row>
...
54. Add opening and closing <html> </html> tags after the closing </search> tag.
...
</search>
<html>
</html>
</panel>
</row>
</form>
55. Add <div> tag references and data options:
...
<html>

</html>
...
57. Reload the browser and make sure the punchcard visualization displays.
NOTE: When adding single quotes, use escaped single quotes for the settings nested under the data-
options element, as shown in the supporting file's code.
If the punchcard panel does not display properly check for typos in the XML, a missed step, or
copy the code again from the supporting file.
Example:
Task 13: Add prebuilt panels.

59. Add three prebuilt panels:
• Lab 6 - Chart 1
• Lab 6 - Chart 2
• Lab 6 - Chart 3
60. Convert all three prebuilt panels to inline panels.
Task 14: Change panel visualizations.
61. Change Lab 6 - Chart 1 table to a Horizon chart.

62. Change Lab 6 - Chart 2 table to a Column chart.
Task 15: Add a link switcher.
63. On the dashboard, click +Add Input > Link List.

64. Drag the input onto the horizon chart.
65. Add the following settings to the Link List input:
General
• Label: delete field1 (leave empty)
Token Options
• Token: unused
Note: Type the text: unused
Static Options
Name Value
Horizon horizon
Column column
Table table
Token Options
• Default: Horizon
66. Click Apply.
Task 16: Add a form input event handler.

68. Locate the XML for the link input.
TIP: Scroll down to the XML for Lab 6 - Chart 1.
69. Add opening and closing <change></change> tags after the closing </choice> tag for Table.
70. Add opening and closing <condition></condition> tags between the <change></change> tags.
...
<choice value="table">Table</choice>
<change>
<condition>
</condition>
</change>
<default>horizon</default>
</input>
...
71. Add the attribute value="horizon" to the opening <condition> tag.
<change>
<condition value="horizon">
</condition>
</change>
</input>
...
72. Add open and closing <unset token> tags for the token showTable between the <condition> tags.
73. Add open and closing <unset token> tags for the token showCol between the <condition> tags.
74. Add open and closing <set token> tags for the token showHorizon between the <condition> tags
and set the value to true.
...
<change>
<unset token="showTable"></unset>
<unset token="showCol"></unset>
<set token="showHorizon">true</set>
</condition>
</change>
...
75. Repeat the above steps, adding condition, unset and set tokens tags and appropriate tokens for the
two remaining visualizations, column and table.
...
<change>
<set token="showHorizon">true</set>
</condition>
<condition value="column">
<set token="showCol">true</set>
<unset token="showHorizon"></unset>
</condition>
<condition value="table">
<set token="showTable">true</set>
<unset token="showHorizon"></unset>
</condition>
</change>
...
76. Revise the Lab 6 - Chart 1 panel title to be: All Status Errors
...
<row>
<panel>
<title>All Status Errors</title>
<input type="link" token="unused" searchWhenChanged="true">
...
77. Locate the XML for the horizon chart visualization.
78. Add an id and a depends attribute to the <viz> tag: id="horizon" depends="$showHorizon$"
...
</input>
<viz id="horizon" depends="$showHorizon$" type="horizon_chart_app.horizon_chart">
<search>
...
79. Locate the XML for Lab 6 - Chart 2.
80. Delete the title.
...
<row>
<panel>
<title>Lab 6 - Chart 2</title>
<chart>
<search>
...
81. Add an id and a depends attribute to the <chart> tag: id="column" depends="$showCol$"
...
<panel>
<chart id="column" depends="$showCol$">
...
82. Locate the XML for Lab 6 - Chart 3.
83. Delete the title tag and its contents.
...
<row>
<panel>
<title>Lab 6 - Chart 3</title>
<table>
<search>
...
84. Add an id and a depends attribute to the <table> tag: id="table" depends="$showTable$"
...
<panel>
<table id="table" depends="$showTable$">
...
Task 17: Format the Horizon Chart.
86. Format the horizon chart visualization with the following settings:
General
• Number of bands: 2
• Calculate relative change: No
• Show change in: Absolute value
• Smooth: Yes
Colors
• Negative color: Blue (6db7c6)
• Positive color: Red (d93f3c)
88. Test the Horizon, Column, and Table links.
Example:
Add Dynamic Labels
Scenario: The web marketing likes the dashboard. However, they'd like it to also have dynamic labels
for the single value panels.
- Make the country and city panel titles reflect the selections in the dropdown menus
- Make the single value captions display the time range selected.
Example:
Task 1: Clone the dashboard.
1. Navigate to the Version 1 - Mktg - Web Server Errors dashboard.

2. Clone the dashboard.
• Title: Version 2 - Mktg - Web Server Errors
Note: Remove the word Clone at end of title.
• ID: mktg_web_dash_server_errors_v2
3. View the cloned dashboard.
Task 2: Add form input event tokens
5. Locate the XML for the Country input.

6. Immediately before the closing </input>, add a change element.
7. Using the predefined input token for the value of label, set a custom token named: input1_label
...
<choice value="*">All Countries</choice>
<fieldForLabel>Country</fieldForLabel>
<fieldForValue>Country</fieldForValue>
<default>*</default>
<change>
<set token="input1_label">$label$</set>
</change>
</input>
...
8. Repeat the above steps for the City input with the token: input2_label
...
<choice value="*">All Cities</choice>
<default>*</default>
<change>
</change>
</input>
...
9. Repeat the above steps for the Time input with the token: input3_label
...
<input type="time" token="time_tok" searchWhenChanged="true">
<label></label>
<default>
</default>
<change>
</change>
</input>
...
Task 3: Add input label tokens to the single value visualization titles
12. Revise the Country visualization title to use the value token for the country input.
$input1_label$
13. Revise the City visualization title to use the value token for the city input.
$input2_label$
Task 4: Add input label tokens to the single value captions

14. Click the visualization formatting icon for All Location visualization.
15. On the General tab, add the time input's label token to the Caption box.
$input3_label$
16. Repeat the above steps for the Country and City visualizations captions.
Example:
17. Save the dashboard changes and reload your browser.
Task 5: Test the labels

18. Select a country, city, and time range.
19. Make sure the visualization labels update to reflect the selections.
20. Make sure the captions for each visualization update to reflect the time range selection.
21. Hide the filters.
NOTE: If a label isn't updated, open the XML editor and look for typos in the input change element or
the caption property.

Advanced Dashboards & Visualizations - Labs: Dashboard in The Course App

Uploaded by

Copyright:

Available Formats

You might also like

Advanced Dashboards & Visualizations - Labs: Dashboard in The Course App

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Dashboards & Visualizations - Labs: Dashboard in The Course App

Uploaded by

Copyright:

Available Formats

Advanced Dashboards & Visualizations – Labs

Visualization Editor Icons

Search Properties Visualization Visualization Formatting

Lab Connection Info

Type Source type Interesting Fields

Scope Definition Convention

Task 3: Add a table of most common web server errors by host.

Task 4: Add a time series chart of all web server errors.

Task 5: Add a map of web store server error locations.

Task 1: Create a data model.

1. Select Settings > Data models.

Task 2: Add auto-extracted fields.

6. Select Add Field > Auto-Extracted.

Task 3: Add eval expression fields for NULL values.

HINT: The price field type is numeric.

Task 4: Test your data model.

Question 2: What is the difference between the values of:

Question 3: What is the difference between the values of:

3. Save, then view the dashboard.

Task 4: Add a menu input for state/province.

13. Click +Add Input and select Dropdown.

Task 5: Add a menu input for City.

16. Click +Add Input and select Dropdown.

20. Save the dashboard and reload your browser window.

Task 6: Test the form inputs.

21. Select a Country, State/Province, and City.

1. Navigate to: Settings > Searches, reports, and alerts

Question 2: What, if any, change(s) would be required to accelerate it?

9. Schedule the bcg_webstore_report_status_errors_by_location report with the same settings:

Task 4: Add a chart that uses a post-process search.

20. Save the search as a panel and add it to an existing dashboard:

Task 5: Add a single value panel with a post-process search.

30. Save the search as a panel and add it to an existing dashboard:

36. Save the XML changes.

Task 6: Add a second single value panel with a post-process search.

Task 7: Add prebuilt panels.

50. Enter dashboard edit mode.

Task 8: Convert prebuilt panels to inline panels driven by inline searches.

Task 9: Add two post-process searches.

64. Open the Splunk XML Editor.

82. Return to the Version 2 - Web Store Server Errors dashboard.

85. Save the XML changes.

Task 1: Accelerate your data model.

1. Navigate to: Settings > Data Models.

Task 2: Clear search jobs.

Task 3: Revise the base search.

22. Return to the Version 2 - Web Store Server Errors dashboard.

25. Save the XML changes.

NOTE: These are boolean properties.

15. Open the dashboard editor.

Task 4: Set the panel refresh time.

31. Open the dashboard editor.

37. Open the dashboard editor.

44. In the Presets dropdown, select the Sequential, white to red.

Task 2: Add a rangemap.

9. Save the search as a report:

Task 3: Add a property to the map visualization's XML.

11. Navigate to the Version 3 - Web Store Server Errors dashboard.