Versions Compared

Old Version 7

changes.mady.by.user George Vetticaden

Saved on

compared with

New Version 8

changes.mady.by.user George Vetticaden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Now that we have added the Squid Data Source, we want to visualize the Metron configured to parse, index and persist telemetry events and Nifi pushing data to Metron, lets now visualize this streaming telemetry data in the Metron Dashboard. The below provides instructions. UI. We will be adding 3 new panels to visualize the Squid Events: Histogram Panel, Count Panel and Detail Panel

 

Table of Contents

Step 1: Setup and Pre-requisites

...

3. Clicking on a specific record will show each field available in the data.

Step 6:

...

Adding Squid Event Count Panel to Dashboard

  1. Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000
  2. Select "Visualize" Tab --> Select "Metric" Visualization"= --> Select "From a new search" for Search Source --> Select "squid*" index source –> Click the Save disk icon on the top right
  3. Name the Visualization "Squid Event Count" and click Save
  4. Select "Dashboard" Tab --> Click the plus icon --> Select "Visualization" tab --> Search for "Squid Event Count" --> Select it
  5. The visualization will be added to the bottom of the dashboard
  6. Click the save icon on the top right to save the dashboard.

Step 7: Creating a Histogram Panel

  1. Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000
  2. Select "Visualize" Tab --> Select "Line Chart" Visualization --> Select "From a new search" for Search Source --> Select "squid*" index source 
  3. Configure the Visualization like the following: 
    1. Image Added
  4. Click the Save Icon on the right right corner --> Name the Visualization "Squid Events Histogram" and click Save
  5. Select "Dashboard" Tab --> Click the plus icon --> Select "Visualization" tab --> Search for "Squid Events Histogram" --> Select it
  6. The visualization will be added to the bottom of the dashboard
  7. Click the save icon on the top right to save the dashboard.

Step 8: Adding a Detail Panel

  1. Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000
  2. Select "Discover" Tab --> Select the "squid*" index
  3. Search for only docs in this index with type of squid_doc
    1. Type the following in search "_type:  squid_doc" 
    2. click the search icon
  4. Now we only to select subset of the fields that we want to display in the detail panel. In the left hand panel under "Available Fields", "add" the following fields:
    1. full_hostname
    2. ip_src_addr
    3. ip_dst_addr
    4. original_string
    5. method
    6. type
  5. The discover/search panel should look something like the following:
    1. Image Added
  6. Click the "Save" icon on the top right corner  --> name the search "Squid Event Details" --> Click Save
  7. Select "Dashboard" Tab --> Click the plus icon --> Select "Searches" tab --> Search for "Squid Event Details" --> Select it
  8. The visualization will be added to the bottom of the dashboard
  9. Click the save icon on the top right to save the dashboard.

Step 9: The Dashboard with the 3 Squid Panels

The following is what the new dashboard would look like with the 3 squid panels added.

Image Added

Let's create a basic data table so that a user can inspect record-level details for Squid.  In Kibana, this is done by creating a 'Saved Search'

 

Image Removed

Info

Click on the image above to see each of these steps performed.

 

1. Click on `Discover` and then choose the newly created `squid*` index pattern.

2. In the 'Fields' panel on the left, choose which fields to include in the saved search.  Click the 'Add' button next to each field.

3. Click on the 'Save' icon near the top-right to save the search.

Step 7: Visualize the Squid Data

After using the `Discover` panel to better understand the Squid data, let's create a few visualizations.

Image Removed

Info

Click on the image above to see each of these steps performed.

 

1. Click on 'Visualize' in the top level menu.

2. Choose the 'Vertical bar chart' and when prompted to 'Select a search source' choose 'From a new search'. Choose the `squid*` index pattern.

3. Under 'Select bucket types' click the 'X-Axis' and for the 'Aggregation' type choose 'Terms'.

4. Under 'Field' choose the `domain_without_subdomains` field.

5. Click the 'Play' button to refresh the visualization.

6. Near the top-right side of the screen click on the 'Save' icon to save the visualization. Name it something appropriate. This will allow us to use the visualization in a dashboard later.

Step 7: Customize the Dashboard

Image Removed

Info

Click on the image above to see each of these steps performed.

 

1. Open the Metron Dashboard by clicking on 'Dashboard' in the top-level menu.

2. On the right, click the 'Add' button indicated by a plus sign.

3. Find the visualization that you would like to add.

4. Scroll to the bottom of the dashboard to find the visualization that was added. From here you can resize and move the visualization as needed.

5. Continue enhancing the dashboard by adding the 'Saved Search' that was previously created.

Summary

At this point you should be comfortable customizing a dashboard as you add new sources of telemetry to Metron. This article introduced Metron's default dashboard that is built upon Kibana 4. It covered the elements present in the dashboard and how you can extend the dashboard for your own purposes.