Dashboards

OpenSearch Dashboards enables you to interactively explore, visualize, and share insights into your network flow data, as well as manage and monitor OpenSearch.

Download OpenSearch Dashboards Objects

The OpenSearch dashboards and related configuration artifacts can be easily imported. You must first download the relevant import file, depending on the configuration of your environment.

Saved Objects for Network Flow Data

Version	Schema	Saved Objects
2.0.0 and later	CODEX	dashboards-2.0.x-flow-codex.ndjson
2.0.0 and later	ECS	dashboards-2.0.x-flow-ecs.ndjson
1.0.0 and later	CODEX	dashboards-1.0.x-flow-codex.ndjson
1.0.0 and later	ECS	dashboards-1.0.x-flow-ecs.ndjson

Saved Objects for SNMP Telemetry Data

Version	Schema	Saved Objects
2.0.0 and later	CODEX	dashboards-2.0.x-snmp-codex.ndjson
2.0.0 and later	ECS	dashboards-2.0.x-snmp-ecs.ndjson
1.0.0 and later	CODEX	dashboards-1.0.x-snmp-codex.ndjson
1.0.0 and later	ECS	dashboards-1.0.x-snmp-ecs.ndjson

Import OpenSearch Dashboards Objects

Importing via the User Interface

To import the configuration, in OpenSearch Dashboards go to Stack Management --> Saved Objects and click Import in the upper right corner.

Importing via the API

curl -XPOST "https://username:password@IPORHOST:5601/api/saved_objects/_import?overwrite=true" -k -H "osd-xsrf: true" -H "securitytenant: global" --form file=@dashboards-1.0.x-codex-light.ndjson

Troubleshooting Import Problems

When the OpenSearch Dashboards import fails neither the import UI nor the OpenSearch Dashboards logs will provide any useful information. However attempting to import via curl will usually provide more detail.

The most common issue is related to the relative large size of the OpenSearch Dashboards Saved Objects file. This can cause the import to fail unless the maximum allowed payload size is increased. The OpenSearch Dashboards setting is server.maxPayloadBytes (or SERVER_MAXPAYLOADBYTES if using Docker), which should also be set to 8388608.

If you have a reverse proxy in front of OpenSearch Dashboards, you may have to modify your proxy settings as well. Many reverse proxies also have relatively low values for the maximum body size. For example the NGINX default is only 1MB. This can be increased by setting client_max_body_size to 8388608. Refer to the documentation for your proxy software to similarly modify its behavior.

Recommended OpenSearch Dashboards Advanced Settings

You may find that modifying a few of the OpenSearch Dashboards advanced settings will produce a more user-friendly experience while using ElastiFlow. These settings are made in OpenSearch Dashboards, under Stack Management -> Advanced Settings.

Advanced Setting	Value	Why make the change?
filters:pinnedByDefault	true	Pinning a filter allows it to persist when you are changing dashboards. This is very useful when drilling-down into something of interest and you want to change dashboards for a different perspective of the same data. This is the #1 setting we recommend changing.
defaultRoute	see description	If your primary or only use-case for OpenSearch Dashboards is ElastiFlow, set this the URL path for the dashboard to which you which to load immediately after logging in, or when returning to "home". The format of this value is /app/dashboards#/view/4a608bc0-3d3e-11eb-bc2c-c5758316d788.
doc_table:highlight	false	There be a query performance penalty that comes with using the highlighting feature. As it isn't very useful for this use-case, it is better to just turn it off.
state:storeInSessionStorage	true	OpenSearch Dashboards URLs can get pretty large. Especially when working with Vega visualizations. This will likely result in error messages for users of Internet Explorer. Using in-session storage will fix this issue for these users.
theme:darkMode	true or false	Enable dark mode for the OpenSearch Dashboards UI. This setting should match the ndjson import file discussed above.
timepicker:timeDefaults	see below	The Time Picker Quick Range to use when OpenSearch Dashboards is started without one.
timepicker:quickRanges	see below	The default options in the Time Picker are less than optimal, for most logging and monitoring use-cases. Fortunately OpenSearch Dashboards now allows you to customize the time picker. Our recommended settings can be found below.
format:number:defaultPattern	0,0.[00]	Default numeral format for the "number" format.
format:percent:defaultPattern	0,0.[00]%	Default numeral format for the "percent" format.

Recommended Time Picker Time Defaults (timepicker:timeDefaults)

We find that the following Time Picker Time Default provides more useful views of the data for network flow related use-cases.

{
  "from": "now-1h/m",
  "to": "now"
}

Recommended Time Picker Quick Ranges (timepicker:quickRanges)

We find that the following set of Time Picker Quick Ranges provides more useful views of the data for network flow related use-cases.

[
  {
    "from": "now-15m/m",
    "to": "now/m",
    "display": "Last 15 minutes"
  },
  {
    "from": "now-30m/m",
    "to": "now/m",
    "display": "Last 30 minutes"
  },
  {
    "from": "now-1h/m",
    "to": "now/m",
    "display": "Last 1 hour"
  },
  {
    "from": "now-2h/m",
    "to": "now/m",
    "display": "Last 2 hours"
  },
  {
    "from": "now-4h/m",
    "to": "now/m",
    "display": "Last 4 hours"
  },
  {
    "from": "now-12h/m",
    "to": "now/m",
    "display": "Last 12 hours"
  },
  {
    "from": "now-24h/m",
    "to": "now/m",
    "display": "Last 24 hours"
  },
  {
    "from": "now-48h/m",
    "to": "now/m",
    "display": "Last 48 hours"
  },
  {
    "from": "now-7d/m",
    "to": "now/m",
    "display": "Last 7 days"
  },
  {
    "from": "now-30d/m",
    "to": "now/m",
    "display": "Last 30 days"
  },
  {
    "from": "now-60d/m",
    "to": "now/m",
    "display": "Last 60 days"
  },
  {
    "from": "now-90d/m",
    "to": "now/m",
    "display": "Last 90 days"
  }
]