Splunk Enterprise plugin
Monitor any events or metrics from your Splunk Enterprise environment using custom SPL queries.
Note: This plugin is an on-premises plugin.

An on-premises plugin connects a service running in your internal network to SquaredUp. They require an agent installed on a machine that has access to your internal network.
Note: This plugin is of great use in addition to other plugins. It enables you to get different kinds of data and insights about objects that have been imported by other plugins.
How to add the Splunk Enterprise plugin
Configure and deploy an agent
If you have already created an agent in SquaredUp that you can use for this plugin, you can skip this step and choose the agent group you want to use while adding the plugin.

Create a unique API key for your agent and add the agent to an agent group in SquaredUp.
You create an API key by creating an agent in SquaredUp:
Go to Settings > Relay and add an Agent.
Give the new agent a name and a description that helps you identify where the agent is installed. For example:
Name: server1.domain.localDescription: Test server in production domain
Choose the Agent Group for this agent:
If you already have agent groups, assign it to an existing group and click create.
If you don't have any agent groups yet or want to assign the new agent to a new group, leave the Agent Groups field empty and click create. Then create the agent group by clicking on Add Agent Group and select the new agent in the Agents field for the new group.
After you created the agent, the API key for this agent will be shown to you. Copy the key and store it until you inserted the key into the configuration of the agent you want to deploy on your machine.
The API key will only be displayed to you once. If you lose this API key, you need to generate a new one (by creating a new agent) and any references to the old API key in the configuration of the agent you deployed on your machine will need to be updated.
- The Agent status will show as gray until the next stage of configuring the service is completed successfully.
Deploy the agent on a machine that has access to the service the plugin connects to.
Download the latest release of the SquaredUp Agent zip file, by clicking the download icon under Options next to the Agent you have just added.
Prerequisites for Agents
The Agent needs to run on a Windows machine that has access to the data source for the on-premises plugin
Make sure the Agent is able to make outbound connections on port 443 (no inbound required) to SquaredUp and Microsoft APIs (Azure Relay).
Optional DNS-based restrictions: *.servicebus.windows.net
On a Windows machine, with access to the data source your plugin needs to use, extract the downloaded zip file.
In the directory of the extracted zip file, open PowerShell as an administrator and run the following command:
Copy./Install-SQUPAgent.ps1 -ApiKey "key" -AsService -ServiceSuffix "name" -ServiceAccount domain\username
Parameters to replace:
-ApiKey "key"
Mandatory Replace key
with the API key you created for the Agent in SquaredUp-AsService
Recommended Run the Agent as a service on the machine -ServiceSuffix "name"
Optional To change the default service name of squpagent replace name
with your new service name.-ServiceAccount domain\username
Optional To run the Agent as a domain service account (for example, for the SCOM plugin), provide the username as domain\username
and it will prompt for the password when it sets up the serviceConfigure a domain service account using the installation script, for example:
./Install-SQUPAgent.ps1 -ApiKey "key" -AsService -ServiceAccount domain\username
where
key
is the API key, anddomain\username
is the domain service accountAlternatively, in Services > SquaredUp Cloud Agent > Properties select the account on the Log On tab.
Use a dedicated user account for the agent's service identity. Create a special service account for this domain service account, do not use an existing user account.
The account (typically a service account) needs to have the log on as a service permission.
Adjust any permissions for the service and start the service.
How to start the Agent service
You can start the agent service from Services > SquaredUp Cloud Agent, or using PowerShell using either:
Start-Service -Name <ServiceName>
Where
<ServiceName>
should be replaced with the service name shown in brackets in the upgrade script output (or Properties of the service).For example:
Start-Service -Name squpagent
or
Start-Service -DisplayName <DisplayName>
Where
<DisplayName>
should be replaced with the service name shown before the brackets in the upgrade script output (or Properties of the service).How to find the Agent folder location or Service name in Properties
Look at the Properties of the SquaredUp Cloud Agent service:
On the server running the Agent, open Services
Scroll down to the SquaredUp Cloud Agent in the list
Right-click on the SquaredUp Cloud Agent service and then Properties
Here you can see the Service name, Display name and Path to the Agent folder.
You can also start or stop the service from here.
- Check the Agent status in SquaredUp Settings > Relay
Running the Agent as a domain service account
By default, the SquaredUp agent service uses the local system identity, but this can be changed to a domain service account if required, for example for the SCOM plugin.
Add the Splunk Enterprise plugin in SquaredUp
In SquaredUp browse to Settings > Plugins > Add plugin and search for the plugin.
Display Name:
Enter a name for your plugin. This helps you to identify this plugin in the list of your plugins.
Splunk Enterprise URL:
Enter the URL for your Splunk Enterprise server.
For accessing your Splunk instance you need to enter either a token or your Splunk user name and password.
If you use a token:
Create a token in your Splunk instance and paste it in here.If you use your Splunk user name and password:
Enter the user name and password you use to log in to your Splunk instance.Ignore Certificate errors:
If you activate this checkbox the plugin will ignore certificate errors when accessing the Splunk Enterprise server.
Agent Group:
Select the Agent Group that contains the agent(s) you want to use.
Leave the checkbox for Automatically create a workspace ticked, this will create a new workspace for this plugin containing out of the box dashboards and scopes.
Optionally, select whether you would like to restrict access to this plugin instance. By default, restricted access is set to off.
Restrict access to this workspace?
The term plugin here really means plugin instance. For example, a user may configure two instances of the AWS plugin, one for their development environment and one for production. In that case, each plugin instance has its own access control settings.
By default, Restrict access to this plugin? is set to off. The plugin can be viewed, edited and administered by anyone. If you would like to control who has access to this plugin, switch Restrict access to this plugin? to on.
Use the Restrict access to this plugin? dropdown to control who has access to the workspace:
By default, the user setting the permissions for the plugin will be given Full Control and the Everyone group will be given Link to workspace permissions.
Tailor access to the plugin, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the plugin by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp Cloud. Once the account has been created, they will gain access to the tenant.
At least one user or group must be given Full Control.
Admin users can edit the configuration, modify the Access Control List (ACL) and delete the plugin, regardless of the ACL chosen.
Plugin access levels
Access Level:
Link to workspace
- User can link the plugin to any workspace they have at least Editor permissions for.
- Data from the plugin can then be viewed by anyone with any access to the workspace.
User can share the plugin data with anyone they want.
User cannot configure the plugin in any way, or delete it.
Full Control - User can change the plugin configuration, ACL, and delete the plugin.
See Access control for more information.
Click Save.
The plugin is now added. To be able to use it, you need to create a custom Data Stream for this plugin.
Using the Splunk plugin
Data Streams

A data stream brings you data to answer a specific question like "What's the health state of the objects?", "What kind of alerts are coming from this plugin for my servers?", "What's the average memory usage of this app?"
The magic of data streams is that they standardize data from all the different shapes and formats your tools use into a straightforward tabular format. While creating a tile you can tweak data streams by grouping or aggregating specific columns. Depending on the kind of data, SquaredUp will automatically suggest how to visualize the result, for example as a table or line graph.
There are two types of data streams available for this plugin
Data streams installed with the plugin
Configurable data streams, see Using Configurable data streams with the Splunk plugin
Custom data streams, see How to create custom data streams for Splunk
Using Configurable data streams with the Splunk plugin

A configurable data stream allows you to easily create new data streams specific to your needs, by entering information into a form, such as metric names or queries. Configurable data streams have a + before the name, and once new data streams have been created they show in the normal list of data streams.
Any data streams you create can be edited from Settings > Data Streams.
Query (Scoped)
This data stream calls an API endpoint to query your Splunk instance, and allows you to enter a custom query.
Scope to a node from any plugin (if you wish to do an unscoped-type query, you can scope to the organization node)
Select + Query (Scoped) from the data stream list
Enter a Display Name for the new data stream
Enter a Query

A mustache parameter is a dynamic value, the actual value will be inserted from the properties of the object(s) in scope.
This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this plugin will send the query multiple times, once for each object. The results are then displayed together, for example in a single table.
You can use properties of objects and write them in between curly braces e.g {{name}}
to use them as mustache parameters. Whenever you use mustache parameters, you need to use a scope of objects that contain the property you're referencing.
For example, if objects of type "host" have a property called name
, you can use {{name}}
. This will resolve {{name}}
to the value of the name property of the different "host" objects used in the scope.
How to create custom data streams for Splunk
Go to Settings > Data Streams.
Click Add new Data Stream.
Enter a display name for your Data Stream.
Note: The display name is the name that you use to identify your Data Stream in SquaredUp. It has no technical impact and doesn't need to be referenced in the Data Stream's code.
Choose the plugin this Data Stream is for.
After you've chosen the plugin a new field Data Source appears.
Data source and code:
To find out which data source to select and get code examples for the Code field, see the help below.
Click Save to save your Data Stream.
Example 1: Get Windows Event Log Entries for Given Hosts
Note: This Data Stream uses Host objects which need to come from a different plugin (for example, from the VMware vCenter plugin), and performs a query to get Windows application log event messages.
Which data source do I have to select from the dropdown?
Splunk Enterprise Query (Scoped)
Code example:
{
"name": "SplunkAppEventsForHost",
"dataSourceConfig": {
"query": "search source=\"WinEventLog:Application\" | where host = \"{{name}}\" | fields host,Message"
},
"matches": {
"type": {
"type": "equals",
"value": "host"
}
},
"rowPath": [],
"metadata": [
{ "name": "_indextime", "displayName": "Timestamp", "shape": "date", "role": "timestamp" },
{ "name": "host", "displayName": "Host", "shape": "string" },
{ "name": "Message", "displayName": "Message", "shape": "string", "role": "value" }
]
}

name
Mandatory
The internal name of the data stream. Can be used the refer to this data stream in a tile's JSON instead of using the data stream's internal ID.
dataSourceConfig
Parameters
query | Mandatory You can use mustache parameters in the query. ![]() A mustache parameter is a dynamic value, the actual value will be inserted from the properties of the object(s) in scope. This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this plugin will send the query multiple times, once for each object. The results are then displayed together, for example in a single table. You can use properties of objects and write them in between curly braces e.g For example, if objects of type "host" have a property called |
ignoreTimeFrame | Optional You can add the ![]() The dashboard timeframe is the current timeframe setting for a dashboard. Users can change the dashboard timeframe to see data for a different time span, for example, instead of showing data from "the last 12 hours" it can be changed to show data from "the last 7 days". Tiles can be configured to:
Tip: Indicate with the name of a tile if the tile's timeframe can be changed. For example, naming a tile "Performance during the last week" tells users that this tile always shows data for the last week. Naming a tile just "Performance" indicates to users that changing the dashboard timeframe will change the data. |
matches
Parameters
Note: Defining the matches
parameter is mandatory.
With the matches
parameter you define for which objects the data stream will be shown in the UI. It works like this:
When you configure a tile, you have to choose its scope. If this scope contains objects you specified here in the matches
parameter, the data stream will be shown in the UI under Data Streams. If the scope doesn't contain objects specified here, the data stream will be hidden.
This keeps the UI clean and simple since you'll only see the data stream when it's relevant for the scope you chose. As a best practice you should limit the data stream to objects that make sense for the specific use case of this data stream.
Format for matches
:
//If you want to specifiy only one value of an object property//
"matches": {
"ObjectProperty": {
"type": "equals",
"value": "ValueOfTheObjectProperty"
}
},
//If you want to specifiy multiple values for an object property//
"matches": {
"ObjectProperty": {
"type": "oneOf",
"values": ["ValueOfTheObjectProperty1", "ValueOfTheObjectProperty2", "ValueOfTheObjectProperty3"]
}
},
Example for limiting a data stream to objects:
If you are using multiple values for the object property, you can decide if you want the data stream to be visible for objects that match all of the criteria or at least one of the criteria.
Lets say you have two values you want objects to have in order for the data stream to be visible for them:
a
SourceName
property with the valueAppDynamics
(meaning objects that come from the AppDynamics plugin)a
type
property with the valueapp
(meaning application objects)
If you want the data stream to be visible only for objects that match both of the criteria, your code would look like this:
"matches": {
"sourceName": {
"type": "equals",
"value": "AppDynamics"
},
"type": {
"type": "equals",
"value": "app"
}
},
If you want the data stream to be visible for objects that match at least one of the criteria, your code would look like this:
"matches": [
{
"sourceName": {
"type": "equals",
"value": "AppDynamics"
}
},
{
"type": {
"type": "equals",
"value": "app"
}
}
]
Note: If you run into errors when configuring the matches
parameter, check if you're dealing with a global data source.

Global data sources can't use specific objects in the matches
parameter. You can identify global data sources by their name, they have "Global" or "No Scope" added to their name.
There are two possible options for the matches parameter for global data sources:
"matches": "none", | When creating a tile, the Data Stream will be shown as long as no scope is selected. As soon as a scope is selected, the Data Stream will be hidden. |
"matches": "all", | When creating a tile, the Data Stream will be shown as soon as any scope is selected. |
metadata
Parameter
Optional, but recommended
The metadata
parameters are used to describe columns in order to tell SquaredUp what to do with them. You can do multiple things with the metadata
parameters:
Specify how SquaredUp should interpret the columns you return and - to an extent - how their content displayed. You do this by giving each column a shape.
The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link.
Filter out or just hide columns.
Only the columns you define in
metadata
will be returned in the results. This helps you to filter out columns you don't need. If you need the content of a column but don't want to display it, you can use thevisible
parameter.Give columns a nicely readable display name.
Assign a specific role to columns
The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role
value
to the column that contains the actual value you want to use in your visualization.
Note: If you don't specify any metadata, all columns will be returned and SquaredUp will do its best to determine which columns should be used for which purpose. If you're returning pretty simple data, for example just a string and a number, this can work fine. But if you're returning two columns with numbers it gets trickier for SquaredUp to figure out which one is the value and which one is just an ID or some other number.
Parameters:
Tip: Before you start specifying metadata, leave them empty at first and get all the raw data with your new data stream once. In order to do this, finish creating your custom data stream without metadata and create a tile with this data stream. The Table visualization will show you all raw data.
This will give you an overview about all columns and their content and help you decide which columns you need and what their shapes and roles should be. It's also essential for getting the correct column name to reference in the name
parameter.
Use this information to go back to the data stream configuration and specifying the metadata.
name | Mandatory | Enter the name of the column you are referencing here. To find the name of a column, get the data from this data stream once without any metadata. See the tip above for how to do that. You'll see the column name when you hover over the column in the Table. |
displayName | Optional | Here you can give the column a user-friendly name for the UI |
shape | Recommended | The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link. Note: Please refer to the list of shapes below this table to see available shapes. |
role | Recommended | The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role Note: Please refer to the list of roles below this table to see available roles. |
visible | Optional |
Use this if you need a columns content but don't need to display the column itself. Example: Column A contains the full link to a ticket in your ticket system. Column B contains the ticket ID. You want to use the ticket ID as a label for the link, turning the long URL into a much nicer to read "Ticket 123". This is why you need the content of column B, to assign it as a label for column A. But since the URL is now displayed as the ticket ID, it would be redundant to still display column B. This is why you hide column B with |

There are many different shapes you can use for your columns and the list of possible shapes gets expanded constantly:
Basic types, like:
boolean
,date
,number
,string
Currency types that get displayed with two decimal values and their currency symbol (for example $23,45), like:
currency
(generic currency),eur
,gbp
,usd
Data types, like:
bytes
,kilobytes
,megabytes
Time types, like:
seconds
,milliseconds
,timespan
The status type :
state
Utility types, like:
customUnit
url
(will be displayed as a link)
Tip:
Some shapes can be configured.
If a shape is configurable, you can edit how the shape displays data in the UI.

label | A column containing user-friendly names. Line Graphs use this role to group data into series. so each label will get its own line in the Line Graph. |
link | A column containing a link that can be used as a drilldown in Status Blocks. |
timestamp | A column containing a date to use on the X -axis of a Line Graph. |
unitLabel | A column containing user-friendly labels for data series, e.g. ‘Duration’. Line Graphs can use this role to label the Y-axis. |
value | A column containing the numeric value you want to use in your visualization. |
Example 2: Get Results for Saved Report
Note: This Data Stream uses the Splunk Enterprise organization object and doesn't rely on objects coming from other plugins.
Which data source do I have to select from the dropdown?
Splunk Enterprise Query (Scoped)
Code example:
{
"name": "SplunkRunMySavedReport",
"dataSourceConfig": {
"query": "| savedsearch mySavedReport | fields host,Message"
},
"matches": {
"sourceType": { "type": "equals", "value": "Splunk Enterprise Organization" }
},
"rowPath": [],
"metadata": [
{ "name": "_indextime", "displayName": "Timestamp", "shape": "date", "role": "timestamp" },
{ "name": "host", "displayName": "Host", "shape": "string" },
{ "name": "Message", "displayName": "Message", "shape": "string", "role": "value" }
]
}

name
Mandatory
The internal name of the data stream. Can be used the refer to this data stream in a tile's JSON instead of using the data stream's internal ID.
dataSourceConfig
Parameters
query | Mandatory You can use mustache parameters in the query. ![]() A mustache parameter is a dynamic value, the actual value will be inserted from the properties of the object(s) in scope. This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this plugin will send the query multiple times, once for each object. The results are then displayed together, for example in a single table. You can use properties of objects and write them in between curly braces e.g For example, if objects of type "host" have a property called |
ignoreTimeFrame | Optional You can add the ![]() The dashboard timeframe is the current timeframe setting for a dashboard. Users can change the dashboard timeframe to see data for a different time span, for example, instead of showing data from "the last 12 hours" it can be changed to show data from "the last 7 days". Tiles can be configured to:
Tip: Indicate with the name of a tile if the tile's timeframe can be changed. For example, naming a tile "Performance during the last week" tells users that this tile always shows data for the last week. Naming a tile just "Performance" indicates to users that changing the dashboard timeframe will change the data. |
matches
Parameters
Note: Defining the matches
parameter is mandatory.
With the matches
parameter you define for which objects the data stream will be shown in the UI. It works like this:
When you configure a tile, you have to choose its scope. If this scope contains objects you specified here in the matches
parameter, the data stream will be shown in the UI under Data Streams. If the scope doesn't contain objects specified here, the data stream will be hidden.
This keeps the UI clean and simple since you'll only see the data stream when it's relevant for the scope you chose. As a best practice you should limit the data stream to objects that make sense for the specific use case of this data stream.
Format for matches
:
//If you want to specifiy only one value of an object property//
"matches": {
"ObjectProperty": {
"type": "equals",
"value": "ValueOfTheObjectProperty"
}
},
//If you want to specifiy multiple values for an object property//
"matches": {
"ObjectProperty": {
"type": "oneOf",
"values": ["ValueOfTheObjectProperty1", "ValueOfTheObjectProperty2", "ValueOfTheObjectProperty3"]
}
},
Example for limiting a data stream to objects:
If you are using multiple values for the object property, you can decide if you want the data stream to be visible for objects that match all of the criteria or at least one of the criteria.
Lets say you have two values you want objects to have in order for the data stream to be visible for them:
a
SourceName
property with the valueAppDynamics
(meaning objects that come from the AppDynamics plugin)a
type
property with the valueapp
(meaning application objects)
If you want the data stream to be visible only for objects that match both of the criteria, your code would look like this:
"matches": {
"sourceName": {
"type": "equals",
"value": "AppDynamics"
},
"type": {
"type": "equals",
"value": "app"
}
},
If you want the data stream to be visible for objects that match at least one of the criteria, your code would look like this:
"matches": [
{
"sourceName": {
"type": "equals",
"value": "AppDynamics"
}
},
{
"type": {
"type": "equals",
"value": "app"
}
}
]
Note: If you run into errors when configuring the matches
parameter, check if you're dealing with a global data source.

Global data sources can't use specific objects in the matches
parameter. You can identify global data sources by their name, they have "Global" or "No Scope" added to their name.
There are two possible options for the matches parameter for global data sources:
"matches": "none", | When creating a tile, the Data Stream will be shown as long as no scope is selected. As soon as a scope is selected, the Data Stream will be hidden. |
"matches": "all", | When creating a tile, the Data Stream will be shown as soon as any scope is selected. |
metadata
Parameter
Optional, but recommended
The metadata
parameters are used to describe columns in order to tell SquaredUp what to do with them. You can do multiple things with the metadata
parameters:
Specify how SquaredUp should interpret the columns you return and - to an extent - how their content displayed. You do this by giving each column a shape.
The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link.
Filter out or just hide columns.
Only the columns you define in
metadata
will be returned in the results. This helps you to filter out columns you don't need. If you need the content of a column but don't want to display it, you can use thevisible
parameter.Give columns a nicely readable display name.
Assign a specific role to columns
The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role
value
to the column that contains the actual value you want to use in your visualization.
Note: If you don't specify any metadata, all columns will be returned and SquaredUp will do its best to determine which columns should be used for which purpose. If you're returning pretty simple data, for example just a string and a number, this can work fine. But if you're returning two columns with numbers it gets trickier for SquaredUp to figure out which one is the value and which one is just an ID or some other number.
Parameters:
Tip: Before you start specifying metadata, leave them empty at first and get all the raw data with your new data stream once. In order to do this, finish creating your custom data stream without metadata and create a tile with this data stream. The Table visualization will show you all raw data.
This will give you an overview about all columns and their content and help you decide which columns you need and what their shapes and roles should be. It's also essential for getting the correct column name to reference in the name
parameter.
Use this information to go back to the data stream configuration and specifying the metadata.
name | Mandatory | Enter the name of the column you are referencing here. To find the name of a column, get the data from this data stream once without any metadata. See the tip above for how to do that. You'll see the column name when you hover over the column in the Table. |
displayName | Optional | Here you can give the column a user-friendly name for the UI |
shape | Recommended | The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link. Note: Please refer to the list of shapes below this table to see available shapes. |
role | Recommended | The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role Note: Please refer to the list of roles below this table to see available roles. |
visible | Optional |
Use this if you need a columns content but don't need to display the column itself. Example: Column A contains the full link to a ticket in your ticket system. Column B contains the ticket ID. You want to use the ticket ID as a label for the link, turning the long URL into a much nicer to read "Ticket 123". This is why you need the content of column B, to assign it as a label for column A. But since the URL is now displayed as the ticket ID, it would be redundant to still display column B. This is why you hide column B with |

There are many different shapes you can use for your columns and the list of possible shapes gets expanded constantly:
Basic types, like:
boolean
,date
,number
,string
Currency types that get displayed with two decimal values and their currency symbol (for example $23,45), like:
currency
(generic currency),eur
,gbp
,usd
Data types, like:
bytes
,kilobytes
,megabytes
Time types, like:
seconds
,milliseconds
,timespan
The status type :
state
Utility types, like:
customUnit
url
(will be displayed as a link)
Tip:
Some shapes can be configured.
If a shape is configurable, you can edit how the shape displays data in the UI.

label | A column containing user-friendly names. Line Graphs use this role to group data into series. so each label will get its own line in the Line Graph. |
link | A column containing a link that can be used as a drilldown in Status Blocks. |
timestamp | A column containing a date to use on the X -axis of a Line Graph. |
unitLabel | A column containing user-friendly labels for data series, e.g. ‘Duration’. Line Graphs can use this role to label the Y-axis. |
value | A column containing the numeric value you want to use in your visualization. |
Example 3: Get Time-Series Data for Metric
Note: This Data Stream uses the Splunk Enterprise organization object and doesn't rely on objects coming from other plugins.
Which data source do I have to select from the dropdown?
Splunk Enterprise Query (Scoped)
Code example:
{
"name": "SplunkMpoolUsedMetric",
"dataSourceConfig": {
"query": "| mstats avg(\"spl.mlog.mpool.used\") WHERE \"index\"=\"_metrics\" span=60s chart=true"
},
"matches": {
"sourceType": { "type": "equals", "value": "Splunk Enterprise Organization" }
},
"rowPath": [],
"metadata": [
{ "name": "_time", "displayName": "Timestamp", "shape": "date", "role": "timestamp" },
{ "name": "avg(spl.mlog.mpool.used)", "displayName": "Value", "shape": "number", "role": "value" }
]
}

name
Mandatory
The internal name of the data stream. Can be used the refer to this data stream in a tile's JSON instead of using the data stream's internal ID.
dataSourceConfig
Parameters
query | Mandatory You can use mustache parameters in the query. ![]() A mustache parameter is a dynamic value, the actual value will be inserted from the properties of the object(s) in scope. This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this plugin will send the query multiple times, once for each object. The results are then displayed together, for example in a single table. You can use properties of objects and write them in between curly braces e.g For example, if objects of type "host" have a property called |
ignoreTimeFrame | Optional You can add the ![]() The dashboard timeframe is the current timeframe setting for a dashboard. Users can change the dashboard timeframe to see data for a different time span, for example, instead of showing data from "the last 12 hours" it can be changed to show data from "the last 7 days". Tiles can be configured to:
Tip: Indicate with the name of a tile if the tile's timeframe can be changed. For example, naming a tile "Performance during the last week" tells users that this tile always shows data for the last week. Naming a tile just "Performance" indicates to users that changing the dashboard timeframe will change the data. |
matches
Parameters
Note: Defining the matches
parameter is mandatory.
With the matches
parameter you define for which objects the data stream will be shown in the UI. It works like this:
When you configure a tile, you have to choose its scope. If this scope contains objects you specified here in the matches
parameter, the data stream will be shown in the UI under Data Streams. If the scope doesn't contain objects specified here, the data stream will be hidden.
This keeps the UI clean and simple since you'll only see the data stream when it's relevant for the scope you chose. As a best practice you should limit the data stream to objects that make sense for the specific use case of this data stream.
Format for matches
:
//If you want to specifiy only one value of an object property//
"matches": {
"ObjectProperty": {
"type": "equals",
"value": "ValueOfTheObjectProperty"
}
},
//If you want to specifiy multiple values for an object property//
"matches": {
"ObjectProperty": {
"type": "oneOf",
"values": ["ValueOfTheObjectProperty1", "ValueOfTheObjectProperty2", "ValueOfTheObjectProperty3"]
}
},
Example for limiting a data stream to objects:
If you are using multiple values for the object property, you can decide if you want the data stream to be visible for objects that match all of the criteria or at least one of the criteria.
Lets say you have two values you want objects to have in order for the data stream to be visible for them:
a
SourceName
property with the valueAppDynamics
(meaning objects that come from the AppDynamics plugin)a
type
property with the valueapp
(meaning application objects)
If you want the data stream to be visible only for objects that match both of the criteria, your code would look like this:
"matches": {
"sourceName": {
"type": "equals",
"value": "AppDynamics"
},
"type": {
"type": "equals",
"value": "app"
}
},
If you want the data stream to be visible for objects that match at least one of the criteria, your code would look like this:
"matches": [
{
"sourceName": {
"type": "equals",
"value": "AppDynamics"
}
},
{
"type": {
"type": "equals",
"value": "app"
}
}
]
Note: If you run into errors when configuring the matches
parameter, check if you're dealing with a global data source.

Global data sources can't use specific objects in the matches
parameter. You can identify global data sources by their name, they have "Global" or "No Scope" added to their name.
There are two possible options for the matches parameter for global data sources:
"matches": "none", | When creating a tile, the Data Stream will be shown as long as no scope is selected. As soon as a scope is selected, the Data Stream will be hidden. |
"matches": "all", | When creating a tile, the Data Stream will be shown as soon as any scope is selected. |
metadata
Parameter
Optional, but recommended
The metadata
parameters are used to describe columns in order to tell SquaredUp what to do with them. You can do multiple things with the metadata
parameters:
Specify how SquaredUp should interpret the columns you return and - to an extent - how their content displayed. You do this by giving each column a shape.
The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link.
Filter out or just hide columns.
Only the columns you define in
metadata
will be returned in the results. This helps you to filter out columns you don't need. If you need the content of a column but don't want to display it, you can use thevisible
parameter.Give columns a nicely readable display name.
Assign a specific role to columns
The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role
value
to the column that contains the actual value you want to use in your visualization.
Note: If you don't specify any metadata, all columns will be returned and SquaredUp will do its best to determine which columns should be used for which purpose. If you're returning pretty simple data, for example just a string and a number, this can work fine. But if you're returning two columns with numbers it gets trickier for SquaredUp to figure out which one is the value and which one is just an ID or some other number.
Parameters:
Tip: Before you start specifying metadata, leave them empty at first and get all the raw data with your new data stream once. In order to do this, finish creating your custom data stream without metadata and create a tile with this data stream. The Table visualization will show you all raw data.
This will give you an overview about all columns and their content and help you decide which columns you need and what their shapes and roles should be. It's also essential for getting the correct column name to reference in the name
parameter.
Use this information to go back to the data stream configuration and specifying the metadata.
name | Mandatory | Enter the name of the column you are referencing here. To find the name of a column, get the data from this data stream once without any metadata. See the tip above for how to do that. You'll see the column name when you hover over the column in the Table. |
displayName | Optional | Here you can give the column a user-friendly name for the UI |
shape | Recommended | The shape you assign to a column tells SquaredUp what the column contains (for example, a number, a date, a currency, a URL, etc.). Based on the shape SquaredUp decides how to display this column, for example to display a URL as a clickable link. Note: Please refer to the list of shapes below this table to see available shapes. |
role | Recommended | The role you assign to a column tells SquaredUp the purpose of the column. For example, if you have two different columns that contain numbers, you need to assign the role Note: Please refer to the list of roles below this table to see available roles. |
visible | Optional |
Use this if you need a columns content but don't need to display the column itself. Example: Column A contains the full link to a ticket in your ticket system. Column B contains the ticket ID. You want to use the ticket ID as a label for the link, turning the long URL into a much nicer to read "Ticket 123". This is why you need the content of column B, to assign it as a label for column A. But since the URL is now displayed as the ticket ID, it would be redundant to still display column B. This is why you hide column B with |

There are many different shapes you can use for your columns and the list of possible shapes gets expanded constantly:
Basic types, like:
boolean
,date
,number
,string
Currency types that get displayed with two decimal values and their currency symbol (for example $23,45), like:
currency
(generic currency),eur
,gbp
,usd
Data types, like:
bytes
,kilobytes
,megabytes
Time types, like:
seconds
,milliseconds
,timespan
The status type :
state
Utility types, like:
customUnit
url
(will be displayed as a link)
Tip:
Some shapes can be configured.
If a shape is configurable, you can edit how the shape displays data in the UI.

label | A column containing user-friendly names. Line Graphs use this role to group data into series. so each label will get its own line in the Line Graph. |
link | A column containing a link that can be used as a drilldown in Status Blocks. |
timestamp | A column containing a date to use on the X -axis of a Line Graph. |
unitLabel | A column containing user-friendly labels for data series, e.g. ‘Duration’. Line Graphs can use this role to label the Y-axis. |
value | A column containing the numeric value you want to use in your visualization. |
Comments
0 comments
Please sign in to leave a comment.