Make Your Dashboards Smile! 😀

Recently a customer was reviewing asset information in Aura Asset Intelligence, our premium application for Splunk, and some interesting data showed up. Users had mobile devices that had emoji’s in their name of their device.

It was a bit surprising at first as it’s not what you would normally expect in a corporate IT environment, but after thinking about it, it’s perfectly normal to see – especially with companies fully adopting BYOD programs these days.

If you weren’t already aware, Splunk can handle different character sets. You can work with non-ascii characters in various different ways – including emojis! From indexing data, searches, alerts, and dashboards. Once you get into the world of non-ascii, you are dealing with Unicode. Unicode is a complex topic. There are many different concepts and terminology to keep straight. But that’s not really the point of this blog 😉 . For more information on Unicode you can start here.

It certainly gets you thinking 🤔 , where could emojis be used in Splunk to inject a bit of fun. Why not give your searches and dashboards a little ❤️ ?

To start, you can use them in searches:

index=main sourcetype=access_combined | eval alt_status = if(status==200,"👍","👎") | stats count by alt_status


You can use them in dashboards:

Response Time single-value panel:
index=main sourcetype=access_combined | stats avg(response) as avg_response | eval avg_response=round(avg_response,1) | eval avg_response = avg_response." ".if(avg_response < 30," 👍  "," 👎 ")

Errors single-value panel:
index=main sourcetype=access_combined | stats count(eval(status >= 500)) as errors count as total | eval error_rate=round((errors/total)*100,1) | eval alt_status = if(error_rate >= 3, "😕","😄")| fields alt_status

Status Codes table panel:
index=main sourcetype=access_combined | stats count by status | eval alt_status = case(status >= 500, "😠",status >=400, "😕", status >= 200, "😄", 1==1,"❓")


Or even using them in alerts (results will vary depending if the target of the alert can handle Unicode). Here’s an email example with the results embedded inline:


Maybe you can live on the wild side and even ask your developers to start using emoji’s in their logs….


Ok, that’s fun and all, but is there a practical use for emoji’s in Splunk? Sure! Why not give your dashboards some more visual eye candy when it comes to location data. You can easily create a lookup that maps Country name to their emoji flag. 

Top Country single-value panel:
index=main sourcetype="access_combined" | top limit=1 clientip | iplocation clientip | eval Country = if(Country=="", "Unknown", Country) | lookup emoji_flags name as Country OUTPUT emoji | fillnull value="❓" emoji | eval top_country= Country." ".emoji | fields top_country

Requests By Country table panel:
index=main sourcetype="access_combined" | stats count by clientip | iplocation clientip | eval Country = if(Country=="", "Unknown", Country) | stats sum(count) as total by Country | lookup emoji_flags name as Country OUTPUT emoji | fillnull value="❓" emoji | sort - total

You can download the flag to emoji lookup CSV here to use in your own searches.

The possibilities are endless! So have some fun with emojis in your dashboards, lets just hope that at no point do your dashboards or data go to 💩 …


Looking to expedite your success with Splunk? Click here to view our Splunk Professional Service offerings.

© Discovered Intelligence Inc., 2020. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.

What’s New in Aura Asset Intelligence 1.4

We are excited to announce the release of Aura Asset Intelligence 1.4, which brings several new and exciting features. This release further enhances the intelligence capabilities of Aura AI and helps enterprises gain even more insight into their assets and the relationships that exist between them.

Asset Activity and Association Reporting

New reporting that highlights the associations between assets and identities through the use of their detection frequency, to better understand activity, usage and shared access rights.

Asset Relationship Visual Workspace

An immensely powerful interactive visual workspace, that allows users to graphically explore the interrelationships between assets. For example, view all the assets associated with a particular identity and then see all other identities that are also associated with those same assets.

First and Last Detection Report

Quickly identify when assets are first and last detected. For example, build a report to show all newly discovered assets in the past day, or a report to show assets that have been inactive for over a month.

Vulnerability Scanning and Endpoint Management Compliance Reporting

Additional out-of-the-box compliance reporting helps to identify the gaps between what is being scanned and what is actively being discovered on the network and also to identify workstations and servers that are not being actively managed by the company’s chosen endpoint management solution.

Aura Confidence Levels

A new visual level assigned to every discovered network asset, calculated from several key factors, provides an indicator of asset confidence, freshness and accuracy.

ServiceNow Integration

Full integration with the ServiceNow, provides the ability to update ServiceNow asset records with what is being actively discovered by Aura AI.

10x Performance Increase

A 10x increased in Aura AI processing efficiency and speed, further builds upon our already efficient processing.


Click here to find out more about Aura AI and how you can benefit from the power of real-time asset discovery and intelligence.

© Discovered Intelligence Inc., 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.

Aura Asset Intelligence

Introducing Aura Asset Intelligence

Aura Asset Intelligence™ from Discovered Intelligence, leverages our domain and security expertise to deliver real-time asset discovery and intelligence; helping security teams quickly discover and report on assets within their enterprise. Read more