Inspiration

I needed a way to show which tape drives were busy reading tapes, what server was using them, etc. I started by showing the current status in a table, but this wasn't a great way to visualize the evolution over time. There were many questions I wanted answers to: are all the drives being used equally? What are the patterns of usage over time? Are some servers hogging the drives more than others? Are the same tapes mounted very often? Going through the logs was not a very practical way of answering these questions, so I had to come up with a better way.

And so, the Gantt Chart Visualization app was born! This visualization allows me to show the usage of tape drives over time, which is a huge help in distilling the data in the logs into actual useful information. From that, I can see patterns of usage of drives, spot problematic drives, servers that are hogging resources, etc. I can hover over a bar and see all the details for that mount: when it started, finished and it's duration, what server mounted which drive, the session number, etc. Clicking on the bar will drill down into the raw logs for that particular session, allowing me to spot exactly what was going on.

Features

This app allows you to graph a set of "transactions" (anything with a start time and an end time), split over different "categories" along the y axis. The "transactions" are colored according to their "series", which allows you to group them graphically. Hovering over a transaction shows all the relevant information, such as at least the start and end times, the duration, etc. The app is very customizable, making it very flexible:

  • Transactions can be defined by specifying a start time and an end time, or by either one plus a duration. The user can specify the name of the field that contains each element. Transactions overlapping in time for the same category are displayed underneath each other.
  • The fields that define categories and series are also configurable by the user. Additionally, the user can optionally choose a better label than "Category" and "Series" for the tooltip and the Y axis to further customize their graph.
  • The list of categories can be seeded by the results of another Splunk search. This is useful for populating a list of available resources when they may not all be used by the data being visualized.
  • Fully configurable drilldown behavior. By default, clicking on a transaction will drilldown by time, but the user can specify a particular field to use for the drilldown. For maximum drilldown flexibility, the user can specify a custom search (instead of the autogenerated drilldown search), and all the fields of a particular transaction can be used within the search. This is very useful to show, for example, all the details of a particular transaction within the log files, instead of just the data used to generate the graph.
  • Emit tokens instead of drilldown events. The user may specify a token name and a field from where to grab the value. This way, clicking on a transaction will fill in the value of the token with the value of the specified field. This permits driving other searches on a dashboard from the user's interaction with the gantt chart. You can also drive the gantt chart with tokens from other searches, of course.
  • Mouse-over highlights, just like default Splunk charts. By default, hovering over a transaction highlights its series in the legend, and hovering over an item in the legend highlights all transactions of the same series. However, the user can also choose a particular field to highlight by so that when you hover over a transaction, all transactions with a common value for that field are also highlighted. This is useful for displaying, for example, all other servers that mounted the same tape volume.
  • Many customization options:
    • Show the full time axis, or only the time span with data.
    • Sort the categories and/or the series alphabetically, or rely on Splunk's ordering.
    • Show or hide the legend.
    • Customize the labels of the Category and Series.
    • The user may specify extra data to display in the tooltip by providing a JSON string of key-values.
    • The compact mode draws thinner bars, which is good for when you have more categories or many concurrent transactions.
  • Full documentation and examples bundled with the app itself, just like in the Splunk Dashboard Examples app.

Updates

This app was already uploaded to Splunk Apps (https://apps.splunk.com/app/1741/) before the start of this contest. Here are a few of the changes implemented since then:

  • Allow legend to wrap over multiple lines in order to accommodate large numbers of different series.
  • Implemented custom drilldown searches.
  • Implemented functionality to emit tokens instead of drilldowns.
  • Introduced several new customization options: timeAxisMode, categorySort and seriesSort.
  • Restored compatibility with Splunk 6.0 and 6.1.
  • Improved documentation and examples.
  • Many bug fixes!

Built With

Share this project:
×

Updates