Network Diagram Viz

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
This app gives you a new way to visualize your data, allowing you to better communicate information in dashboards and reports. After installing this app you will see Network Diagram Viz as an additional item in the visualization picker in Search and Dashboard.

The Network Diagram Viz lets you visualize how different monitored end-points relate to one another. You can use the Network Diagram Viz to show the relationship between servers, services, or people in a dashboard panel or report.

As seen in the Splunk blog post: https://www.splunk.com/en_us/blog/security/visual-link-analysis-with-splunk-part-2-the-visual-part.html

Profiled on YouTube by the Splunk & Machine Learning channel: https://www.youtube.com/watch?v=2pbEVARIC3w

Daniel Spavin
I am a Splunk Professional Services consultant working for JDS Australia (https://www.jds.net.au), in Melbourne Australia.

Version Support

8.0, 7.3, 7.2, 7.1, 7.0, 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, 6.0

Who is this app for?

This app is for dashboard designers who want to display how different entities are related to eachother on a dashboard panel.

How does the app work?

This app provides a visualization that you can use in your own apps and dashboards.

To use it in your dashboards, simply install the app, and create a search that provides the values you want to display.

Usecases for the Network Diagram Visualization:

  • Displaying current server status based on CPU, Memory, I/O, and Disk usage
  • Visually associating users with actions, e.g. purchases, crashes, errors
  • Visualising the connection speeds between two hosts or services
  • Showing how events are related to eachother

The following fields can be used in the search:
- from (required): The unique name of the source entity.
- to (optional): The unique name of the destination entity.
- value (optional): Text to display as a tool tip. This text is also available as a token when the entity (from) is clicked.
- type (optional): This is used to display the entity on the dashboard (from). Use the list of icons available, Splunk server icons, or shapes.
- color (optional): Used to set the color of the text and icon (except for Splunk icons).
- linktext (optional): Text to display on the link between the from and to entities.

Options can be overwritten, so if type or color is set multiple times in the search results, the last value will be used. This is useful if you wish to set the icon types and values via a lookup table at the end of your search.

Save Layout Designs

You can now save the layout of a Network Diagram Viz to make sure a specific layout is always displayed on your dashboards.

To create a layout, go to the Create Layouts dashboard and follow these steps:

  • Paste in your search then click Run Search to generate a Network Diagram Viz
  • Drag the nodes around until you are happy with the design.
  • A new search is generated in the third panel. Replace your original search with the new search to save your layout.

Note: You must have physics turned off: General > Enable Physics = false
You must also turn off hierarchy settings: Hierarchy > Hierarchy View = false

To prevent users from altering your layout, you can choose to disable draggable nodes: General > Draggable Nodes = false

Example Search

| makeresults count=12
| streamstats count as id 
| eval from=case(id=1,"Load Balancer",id=2,"Load Balancer",id=3,"Load Balancer", id=4,"Web 1",id=5,"Web 1", id=6, "Web 2",id=7,"Web 2", id=8,"Web 3",id=9,"Web 3",id=10,"App Server 1",id=11,"App Server 2",id=12, "Database Server") 
| eval to=case(id=1,"Web 1",id=2,"Web 2",id=3,"Web 3", id=4,"App Server 1",id=5,"App Server 2", id=6, "App Server 1",id=7,"App Server 2", id=8,"App Server 1",id=9,"App Server 2",id=10,"Database Server",id=11,"Database Server",id=12, "") 
| eval value=case(id=1,"Load Balancer",id=2,"Load Balancer",id=3,"Load Balancer", id=4,"Web 1",id=5,"Web 1", id=6, "Web 2",id=7,"Web 2", id=8,"Web 3",id=9,"Web 3",id=10,"App Server 1",id=11,"App Server 2",id=12, "Database Server") 
| eval type=case(id=1,"sitemap",id=4,"server", id=6, "server",id=8,"server",id=10,"server",id=11,"server",id=12, "database") 
| fields from, to, value, type


Tokens are generated each time you click a node. This can be useful if you want to populate another panel on the dashboard with a custom search, or link to a new dashboard with the tokens carying across.

  • Node: This is the unique node name (e.g. the server name). Default value: $nd_node_token$
  • Value: This is the value/tooltip as it was defined in the search results. Default value: $nd_value_token$

Issues and Limitations

If you have a bug report or feature request, please contact daniel@spavin.net

Privacy and Legal

No personally identifiable information is logged or obtained in any way through this visualizaton.

For support

Send email to daniel@spavin.net

Support is not guaranteed and will be provided on a best effort basis.

3rd Party Libraries

This visualization uses the network module from visjs.org

Icons made by Smashicons from www.flaticon.com is licensed by CC 3.0 BY

Icons made by https://fontawesome.com

Release Notes

Version 2.0.0
May 6, 2021

v 2.0.0
- All 'to' nodes are now generated by default, simplifying the search
- The "box" type now has legible text. See it used on the Business Process example dashboard
- Added business process use case with the updated "box" type
- Drill-downs are disabled on all search results pages. This allows you to move the nodes around on the search/visualization tab without performing a drill-down
- There is now a faint box around the node text to help legibility (disabled on IE browsers)
- Created new option for Physics: Partial. This option (along with dynamic lines and line length) will let you see multiple links between the same nodes without them overlapping. See it on the new General Examples dashboard
- Updated libraries to the latest versions
- Bug fix: NodeText won't be overwritten with blank values
- Bug fix: Fixed error where some default icon options were ignored
- Other minor bug fixes

Version 1.8.0
Oct. 18, 2020

v 1.8.0
- Improved dark-mode compatibility for link text
- Fixed bug were a panel resize would make the diagram appear off-centre
- Added new field: nodeText so you can have a different label for a node to the from field. Defaults to the 'from' field value.
- Added option to make drill-downs activate on double-click only, so you can move nodes around without it trying to drill-down.

Version 1.7.0
Aug. 9, 2020

v 1.7.0
* Drill-downs now work on a single click, rather than a double click
* You can now set the link length from search by specifying a linkLength field
* Default link length can be set in options
* Under Hierarchy settings you can now specify the distance between layers, and if Physics is disabled, spacing between nodes
* The options menu has been re-organised to better group related options
* Created a dark-mode version of the Create Layouts dashboard

Version 1.6.0
May 3, 2020

v 1.6.0
- Huge performance increase - show up to 10,000 nodes within a few seconds. New performance dashboard to test out massive network diagrams.
- Added new edge types to change the way nodes are linked: Dynamic, Cubic Bezier, Discrete, Continuous, Diagonal Cross, and Straight Cross.
- Added arrows to edges to help show the flow. Show arrows at the start, middle, or end of edges.
- Edges now have a tooltip when you hover over them if you set a linktext value.
- There is a new token for tooltips: $nd_tooltip_token$.
- Fixed bug when default icon was set to a logo icon.
- Minor bug fixes related to grouping.

Version 1.5.0
Feb. 2, 2020

v 1.5.0
- Drill-Down is now supported via the standard Splunk Drill-down menu. This change will enable drill-downs to other dashboards, searches and URLs while also supporting custom tokens.
- There is now a date picker on the Layout Design dashboard to allow you to time limit your searches.
- Both the node label and link text size can be increased - see the new options under General: Node Text Size and Link Text Size
- Fixed bug where Splunk License server icon didn't change color

Version 1.4.0
Sept. 20, 2019

- Splunk icons can now be colored: red, yellow, green, blue. Just set your color field in your search to one of these colors.
- You can also use terms like 'error','bad','severe','high' for Red, 'amber','warning','medium','orange' for yellow, 'ok','good','low' for green, and 'debug','unknown' for blue.

Version 1.3.0
Sept. 14, 2019

v 1.3.0
- Hundreds more icons available - see the Available Icons dashboard for the complete set
- Fixed options menu 'undefined' text that appears on Splunk 7.3

Version 1.2.0
May 5, 2019

v 1.2.0

User requested features:
- Control the width of links using the new linkwidth field in your search (optional)
- Set the color of links using the new linkcolor field in your search (optional)
- Use the link text as a token when you click on it - defaults to: $nd_value_token$
- Ability to disable zoom - new setting in the Options menu

Other updates:
- Set the default node type instead of defining a type in your search - new config in the options menu.
- New icons - a range of new icons for Windows, Linux, Git, Skype, Java, Google Drive and others. See the Available Icons dashboard for the complete set.
- When you click on a link between two nodes, you now get tokens for the From and To nodes, as well as the link text.
- Fixed typos in dashboards and configuration settings

Version 1.1.0
April 22, 2019

v 1.1.0
Save your layout designs. You can now use an in-built dashboard to create specific layouts based on your searches. A new search will be generated for use in your dashboards that preserves the layout you have designed.

See new dashboard: Create Layouts.

Version 1.0.0
March 23, 2019

v 1.0.0
Initial version


