Word Cloud Visualisations for Splunk

Every month I spend some time on Splunkbase checking out what’s on offer. Today I’m going to share with you a super cool gem I found there. This is one of my favorite visualizations and I’ve been using it heaps lately. It’s a word cloud Visualisation and once installed can be selected straight from the available reports list. I can’t take any credit for this, that all goes to Patrick Wied. He has made it available to the Splunk community so go check it out.

Word Cloud Usecases

Word clouds can be used everywhere, here are just a few ideas;

  • IT Service Center – image a big screen showing patterns of incoming issues, major spikes could suggesting outages.
  • Emergency Room – see quickly what your ER dept is being hit with. You could anticipate critical mass before it hits.
  • Police – Are you suddenly seeing a spike of 911 calls in a location or of a certain type.
  • Online Shop – What products are you moving in volume, do you need to increase your inventory
  • Online Shop – What terms are people searching for on your site? What products could promote to match their searches.

The real power of word clouds is the highly visual way in which they display data trends. Most of all Word Clouds are great for non-technical users to quickly see and understand the displayed data.

Use Case

Here is a quick example to show you how easy it is to get this working with your data. As with all my demos I am using publicly available data so you can follow along.

  • Problem

    Display the most common types of emergency 911 calls for the Fire Dept

  • Data Source

    Kaggle – 911 emergency calls

  • Addon

    Wordcloud Custom Visualization

  • Source Type

    911CallLog

  • Query

    Return events where the TitleCategory field is equal to fire
    Count the number of events for each TitleType.

  • Search

    sourcetype=911CallLog title=”Fire*” |eval temp=split(title,”:”) | eval TitleType=mvindex(temp,0)| eval TitleCat=mvindex(temp,1)|stats count by TitleCat

  • Output

    Word Cloud

Installing the App

The installation process is straight forward for this one follow these instructions:

  1. Log in to Splunk Web and navigate to Apps > Click on the Manage Apps link.
  2. Click on the Browse more apps link.
  3. Type in “Word Cloud”.
  4. Find the “Word cloud Visualisation” App listing
  5. Click the Install button.
  6. You may be prompted to log onto Splunk.com. Add your user name and password.
  7. Click the Login and Install button. Splunk will display a message that it is installing the app.
  8. Once installation has finished. Click on the Restart Splunk button.

Wordcloud will now display in your apps list.

The Sample demo shows a bunch of different colour and layout options. Have a look at these and then head over to the search

 

My Data

Here is a quick look at my data, we are interested in the TitleType and the TitleCategory. We want to search for Fire instances and return the type of Incident the the Firies responded to.

Searching the Data

Our search String will look something like this:

sourcetype=911CallLog title="Fire*" |
eval temp=split(title,":") | eval TitleType=mvindex(temp,0)| eval TitleCat=mvindex(temp,1)|
stats count by TitleCat

This search returns the data as a table that looks like this:

 

Make it a Wordcloud

Click on the Visualisation Tab and you will find that WordCloud is now an option in your Visualisation List.

Select It and you will have your visualisation ready to go.

There are a couple of different layout options ;

General

Alignment – This simply changes the way the words display on the wordcloud

horizontal, vertical, both or random

Color

wordcloudcolouroptions

 Use Colors – Color or black and white

Color By – Color Mode or Based on Field

Color mode – this option takes the count of a category and colours your words according to frequency.

Field – this option allows you to colour the word cloud items based on a field value. This is constructed as part of the search using an eval command. (see below for an example)

Color Mode – (Used when color mode is select) – Categorical or Sequential

Number of Bins – (Used when color mode is select) – Choose how many colours you want to use

Min Color – (Used when color mode is select) – Select the colour for the bottom categories

Max Color – (Used when color mode is select) – Select the color for the top categories

Theme -Dark background or white background

Word Cloud Color Based on Field Values

sourcetype=911CallLog | stats count by title | where count>10 |
 eval temp=split(title,":") | eval TitleType=mvindex(temp,0)| eval TitleCat=mvindex(temp,1)|
 eval color=if(TitleType=="Fire","#94101B","#387860") | eval color=if(TitleType=="EMS" ,"#322D4B", color)|
 table TitleCat count color

Here is a quick explanation of the above search:

sourcetype=911CallLog |

This is the base search (we are returning all of the emergency calls – set your time range so its a subset)

stats count by title |

we want to count the instances of the values in the title field

where count>10 |

in out data there are 65 categories we only want to return the high frequency values so we return only events with a count over 10

eval temp=split(title,":") | eval TitleType=mvindex(temp,0)| eval TitleCat=mvindex(temp,1)|

here I have split the Title field into two separate fields as it contains the service and the type eg FIRE:Rescue Elevator. I need to have these are separate field so I can use the Type for my color and the Category in my word cloud.

eval color=if(TitleType=="Fire","#94101B","#387860") | eval color=if(TitleType=="EMS" ,"#322D4B", color)|

This is where I tell it what color to use. I want Fire Types to be red, EMS (Emergency Medical Services) to be purple and Traffic issues to be green.

table TitleCat count color

This displays the three parameters need to make the wordcloud.

Share this Post

 

Leave a Reply

Your email address will not be published. Required fields are marked *