You can find many more information around use cases on the following Splunk blogs:
- Chasing a Hidden Gem: Graph Analytics with Splunk’s Machine Learning Toolkit
- Understanding and baselining network behaviour - part 1
- Understanding and baselining network behaviour - part 2
| stats count by src dest [color_src] [color_dest] [edge_color] [weight_src] [weight_dest] [edge_weigth]
Replace src and dest with your fields to start. All other fields are optional and default values will be used if not given.
Used to customise nodes and edges (or links) styling.
| Field Name | Type | Description | Example |
|---|---|---|---|
color_src |
string | Color of source node in HEX | #00DD00 |
color_dest |
string | Color of destination node in HEX | #CC00FF |
edge_color |
string | Color of edge in HEX | #12FF00 |
weight_src |
numeric | Sphere size of source node | 2.5 |
weight_dest |
numeric | Sphere size of destination node | 3 |
edge_weight |
numeric | Stroke weight of edge line in pixels | 2.1 |
Besides:
edge_weight value higher than 18 will be normalised to 18To enrich your dashboards with some interactivity, enable drilldown in your dashboard panel. For example, assuming the configuration below, by clicking on a node in your graph it should populate a token with the value from a field named src.
<option name="drilldown">all</option>
<drilldown>
<set token="tok">$row.src$</set>
</drilldown>
This token can then be used within your dashboard in another panel or visualisation.
$~ cat {your_lookup_table}.csv
source,color,weight
A,#010101,50
B,#ff0101,10
...
{search} | stats count by src dest | lookup {your_lookup_table} source AS src | lookup {your_lookup_table} source AS dest OUTPUTNEW color AS color_dest, weight AS weight_dest{search} | stats count as edge_weight by src dest | eval color_src="#cc0000", color_dest="#00ff00", weight_src=3 | eval edge_color=if(edge_weight < 18, "#0000cc","")Four dashboards are provided to show graph algorithms in action using NetworkX. Select them by clicking on Graph Example Dashboards dropdown in the app navigation bar.
Make sure you have the following Splunk apps installed in your instance to correctly visualize integrated dashboards.
Give global permissions to MLTK app if not already done
This app is open sourced on github, so if you consider contributing to it, please refer to the contribution guidelines. Thanks in advance!
Big thanks to Erica for making this custom visualisation real!
And a big thanks to Oliver for his awesome color gradient macros which are bundled in the app, too!
Finally many thanks to Greg for adding his work on the graph analytics workflow
Added graph analysis workflow and dashboards
Bug fixes and improvements
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.