New dashboards for app

Author: dveuve

app/appserver/static/img/slide-splunk-databricks-integration.png

@@ -1,5 +1,8 @@
 <nav search_view="search" color="#1B3139">
+    <view name="databricks-intro" default="true" />
     <view name="configuration"/>
     <view name="databricks_job_execution_details"/>
+    <view name="databricks-sample-dashboard" />
+    <view name="databricks-launch-notebook" />
     <view name="search" label="Search"/>
-</nav>
+</nav>

app/default/data/ui/nav/default.xml

@@ -0,0 +1,32 @@
+<dashboard>
+  <label>Intro</label>
+  <row>
+    <panel>
+      <title>Overview</title>
+      <html>
+        <img style="float: right;" src="/splunkd/__raw/servicesNS/nobody/TA-Databricks/static/appIconAlt_2x.png"></img>
+        <p>The Databricks Add-on for Splunk allows Splunk teams to take advantage of the effective cost model of Databricks along with the power of AI without asking users to leave the comforts of their Splunk interface. 
+        </p>
+        <p>Users can run ad-hoc queries against Databricks from within a Splunk dashboard or search bar with the add-on. Those who have notebooks or jobs in Databricks can launch them through a Splunk dashboard or in response to a Splunk search. The Databricks integration is also bi-directional, letting customers summarize noisy data or run detections in Databricks that show up in Splunk Enterprise Security. Customers can even run Splunk searches from within a Databricks notebook so that they don’t need to duplicate all of their data to get the job done.</p>
+        <p>The Splunk and Databricks integration allows customers to reduce their cost, expand the data sources they analyze, and provide the results of a more robust analytics engine, all without changing the tools used all day by their staff.</p>
+
+      </html>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Integration Points</title>
+      <html>
+        <div>
+          <img style="width: 100%; max-width: 1496px !important;" src="/static/app/TA-Databricks/img/slide-splunk-databricks-integration.png" title="Screenshot of slide showing the integration methods" ></img>
+        </div>
+<p>There are three main integration points, as shown in the slide above:</p>
+        <ol>
+          <li>This app enables running queries from Splunk against Databricks by configuring a personal access token for a service account within Databricks (<a href="databricks-sample-dashboard">example</a>). Additionally, you can launch ephemeral notebook runs or jobs. See the <a href="https://splunkbase.splunk.com/app/5416/#/details" target="_blank">app docs</a> for more detail.</li>
+          <li>You can also configure the Splunk DB Connect app to run searches against Databricks via JDBC. The API used for this add-on is limited to 1000 results when running a simple query, but JDBC can pull back almost infinite amount of data. Additionally, as DB Connect supports multiple profiles, you can configure multiple connections with different levels of access. See our <a href="https://github.com/databrickslabs/splunk-integration/blob/master/docs/markdown/Splunk%20DB%20Connect%20guide%20for%20Databricks.md" target="_blank">integration docs</a> for configuration instructions.</li>
+          <li>You can also send data from Databricks to Splunk via Splunk's HTTP Event Collector. This could be small sets of data, such as security alerts detected via AI on Databricks, or large sets of data such as aggregated or filtered high volume datasets. You can also use the Splunk REST API to run queries against data stored in Splunk from Databricks.</li>
+        </ol>
+      </html>
+    </panel>
+  </row>
+</dashboard>

app/default/data/ui/views/databricks-intro.xml

@@ -0,0 +1,87 @@
+<form script="js/handle_autoforward.js">
+  <label>Launch Notebook - Two Parameters</label>
+  <search id="notebookrun">
+    <query>| databricksrun notebook_path=$notebookname|s$ notebook_params="$param$=$paramvalue|dbquote$||$param2$=$param2value|dbquote$"</query>
+    <earliest>-24h@h</earliest>
+    <latest>now</latest>
+    <sampleRatio>1</sampleRatio>
+    <progress>
+      <unset token="url"></unset>
+      <unset token="failedJob"></unset>
+    </progress>
+    <done>
+      <condition match="'job.resultCount' == 1">
+        <set token="url">$result.result_url$</set>
+      </condition>
+      <condition match="'job.resultCount' == 0">
+        <set token="failedJob">1</set>
+      </condition>
+    </done>
+    <fail>
+      <set token="failedJob">1</set>
+    </fail>
+  </search>
+  <fieldset submitButton="false">
+    <input type="text" token="notebookname">
+      <label>Notebook Name</label>
+    </input>
+    <input type="dropdown" token="autoforward">
+      <label>Auto Forward?</label>
+      <choice value="No">No</choice>
+      <choice value="Yes">Yes</choice>
+      <default>No</default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <input type="text" token="param">
+        <label>Parameter Name</label>
+      </input>
+      <input type="text" token="paramvalue">
+        <label>Parameter Value</label>
+      </input>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <input type="text" token="param2">
+        <label>Parameter 2 Name</label>
+      </input>
+      <input type="text" token="param2value">
+        <label>Parameter 2 Value</label>
+      </input>
+    </panel>
+  </row>
+  <row depends="$failedJob$">
+    <panel>
+      <title>Job Failed</title>
+      <single>
+        <search base="notebookrun"></search>
+      </single>
+    </panel>
+    <panel>
+      <html>
+        <p>
+        The job failed -- this is usually because the cluster in Databricks is not working, credentials are expired, or other similar issues. Please see the red error icon to the left.
+      </p>
+      <button id="retryButton">Retry</button>
+      </html>
+    </panel>
+  </row>
+  <row depends="$notebookname$,$param$,$paramvalue$" rejects="$url$,$failedJob$">
+    <panel>
+      <title>Processing...</title>
+      <html>
+        <center>Processing</center>
+      </html>
+    </panel>
+  </row>
+  <row depends="$notebookname$,$param$,$paramvalue$,$url$" rejects="$failedJob$">
+    <panel>
+      <title>Click</title>
+      <html>
+        <center>Job running, <a href="$url$">click here</a> to proceed.</center>
+      </html>
+    </panel>
+  </row>
+</form>

app/default/data/ui/views/databricks-launch-notebook-two-params.xml

@@ -0,0 +1,73 @@
+<form script="js/handle_autoforward.js">
+  <label>Launch Notebook</label>
+  <search id="notebookrun">
+    <query>| databricksrun notebook_path=$notebookname|s$ notebook_params="$param$=$paramvalue|dbquote$"</query>
+    <earliest>-24h@h</earliest>
+    <latest>now</latest>
+    <sampleRatio>1</sampleRatio>
+    <progress>
+      <unset token="url"></unset>
+      <unset token="failedJob"></unset>
+    </progress>
+    <done>
+      <condition match="'job.resultCount' == 1">
+        <set token="url">$result.result_url$</set>
+      </condition>
+      <condition match="'job.resultCount' == 0">
+        <set token="failedJob">1</set>
+      </condition>
+    </done>
+    <fail>
+      <set token="failedJob">1</set>
+    </fail>
+  </search>
+  <fieldset submitButton="false">
+    <input type="text" token="notebookname">
+      <label>Notebook Name</label>
+    </input>
+    <input type="text" token="param">
+      <label>Parameter Name</label>
+    </input>
+    <input type="text" token="paramvalue">
+      <label>Parameter Value</label>
+    </input>
+    <input type="dropdown" token="autoforward">
+      <label>Auto Forward?</label>
+      <choice value="No">No</choice>
+      <choice value="Yes">Yes</choice>
+      <default>No</default>
+    </input>
+  </fieldset>
+  <row depends="$failedJob$">
+    <panel>
+      <title>Job Failed</title>
+      <single>
+        <search base="notebookrun"></search>
+      </single>
+    </panel>
+    <panel>
+      <html>
+        <p>
+        The job failed -- this is usually because the cluster in Databricks is not working, credentials are expired, or other similar issues. Please see the red error icon to the left.
+      </p>
+      <button id="retryButton">Retry</button>
+      </html>
+    </panel>
+  </row>
+  <row depends="$notebookname$,$param$,$paramvalue$" rejects="$url$,$failedJob$">
+    <panel>
+      <title>Processing...</title>
+      <html>
+        <center>Processing</center>
+      </html>
+    </panel>
+  </row>
+  <row depends="$notebookname$,$param$,$paramvalue$,$url$" rejects="$failedJob$">
+    <panel>
+      <title>Click</title>
+      <html>
+        <center>Job running, <a href="$url$">click here</a> to proceed.</center>
+      </html>
+    </panel>
+  </row>
+</form>

app/default/data/ui/views/databricks-launch-notebook.xml

@@ -0,0 +1,63 @@
+<dashboard>
+  <label>Sample Dashboard</label>
+  <row>
+    <panel>
+      <title>Overview</title>
+      <html>
+        <p>This dashboard provides an example of using the "databricksquery" custom search command to query your databricks environment. As detailed in the <a href="https://splunkbase.splunk.com/app/5416/#/details" target="_blank">app docs</a>, the databricksquery command is limited to 1000 results. Full results can be pulled into Splunk via JDBC with <a href="https://splunkbase.splunk.com/app/2686/" target="_blank">Splunk DB Connect</a>, see our <a href="https://github.com/databrickslabs/splunk-integration/blob/master/docs/markdown/Splunk%20DB%20Connect%20guide%20for%20Databricks.md" target="_blank">configuration guide</a> for more detail. See <a href="intro">Intro</a> for an overview of the Databricks Add-on for Splunk.</p>
+      </html>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>List of Tables (click to drill in)</title>
+        <search>
+          <query>| databricksquery query="show tables"</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">cell</option>
+        <drilldown>
+          <set token="table">$row.tableName$</set>
+        </drilldown>
+      </table>
+    </panel>
+    <panel depends="$table$">
+      <table>
+        <title>List of Fields in $table$ (click to drill in)</title>
+        <search>
+          <query>| databricksquery query="Describe $table$"</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">cell</option>
+        <drilldown>
+          <set token="field">$row.col_name$</set>
+        </drilldown>
+      </table>
+    </panel>
+    <panel depends="$field$">
+      <table>
+        <title>Top Values for $field$ in $table$</title>
+        <search>
+          <query>| databricksquery query="select $field$, count(1) from $table$ group by $field$ order by count(1) desc limit 30"</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+      </table>
+    </panel>
+  </row>
+  <row depends="$table$">
+    <panel>
+      <table>
+        <title>First Rows in $table$</title>
+        <search>
+          <query>| databricksquery query="select * from $table$ limit 50"</query>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </search>
+      </table>
+    </panel>
+  </row>
+</dashboard>

app/default/data/ui/views/databricks-sample-dashboard.xml

@@ -0,0 +1,71 @@
+<form script="js/handle_autoforward.js">
+  <label>Launch Notebook</label>
+  <fieldset submitButton="false">
+    <input type="text" token="orig_sid">
+      <label>Adaptive Response Search ID (sid)</label>
+    </input>
+    <input type="text" token="orig_rid">
+      <label>Adaptive Response Result ID (rid)</label>
+    </input>
+    <input type="dropdown" token="autoforward">
+      <label>Auto Forward?</label>
+      <choice value="No">No</choice>
+      <choice value="Yes">Yes</choice>
+      <default>No</default>
+    </input> 
+  </fieldset>
+  <search id="notebookrun">
+          <query>index="cim_modactions" sourcetype="databricks:notebook" sid=$orig_sid$ rid=$orig_rid$ | table *</query>
+          <earliest>-30d@h</earliest>
+          <latest>now</latest>
+          <sampleRatio>1</sampleRatio>
+          <progress>
+            <unset token="url"></unset>
+            <unset token="failedJob"></unset>
+          </progress>
+          <done>
+            <condition match="'job.resultCount' == 1">
+              <set token="url">$result.result_url$</set>  
+            </condition>
+            <condition match="'job.resultCount' == 0">
+            <set token="failedJob">1</set>
+            </condition>
+            
+          </done>
+          <fail>
+            <set token="failedJob">1</set>
+          </fail>
+        </search>
+  <row depends="$failedJob$">
+    <panel>
+      <title>Job Failed</title>
+      <single>
+        <search base="notebookrun">
+          
+        </search>
+      </single>
+    </panel>
+    <panel>
+      <html><p>
+        The job failed -- this is usually because the cluster in Databricks is not working, credentials are expired, or other similar issues. Please see the red error icon to the left.
+      </p>
+      <button id="retryButton">Retry</button></html>
+    </panel>
+  </row>
+  <row depends="$orig_sid$,$orig_rid$" rejects="$url$,$failedJob$">
+    <panel>
+      <title>Processing...</title>
+      <html>
+        <center>Processing</center>
+      </html>
+    </panel>
+  </row>
+  <row depends="$url$" rejects="$failedJob$">
+    <panel>
+      <title>Click</title>
+      <html>
+        <center>Job running, <a href="$url$">click here</a> to proceed.</center>
+      </html>
+    </panel>
+  </row>
+</form>