Analytics
Also available as:
PDF

Using Zeppelin to Create Runbooks

Zeppelin enables data scientists and senior analysts to create workbooks for junior analysts that can be used as runbooks for recreatable investigations. These runbooks can be static, which require no input from the junior analyst, or dynamic, which require the junior analyst to enter or choose information. You can see an example of a static type of notebook in the Metron - YAF Telemetry note. This section provides instructions for creating both kinds of runbooks.

To create a runbook, complete the following steps:

  1. Click Create new note on the welcome page, or click the Notebook menu and choose + Create new note.

  2. Type your commands into the blank paragraph in the new note.

    To make your runbook dynamic, use one or more of the dynamic forms that Zeppelin supports:

    • Text input form

    • Text input form with default value

    • Select form

    • Checkbox form

    For more information about dynamic forms, see the Apache Zeppelin documentation.

    When you create a note, it appears in the list of notes on the left side of the home page and in the Notebook menu. By default, Zeppelin stores notes in the $ZEPPELIN_HOME/notebook folder.

  3. Run your new code by clicking the triangle button in the cell that contains your code.

    Zeppelin attempts to run the code and displays the status near the triangle button: PENDING, RUNNING, ERROR, or FINISHED. Zeppelin also displays another empty paragraph so you can add another command.

  4. Choose the appropriate type of visualization for your code results from the settings toolbar below the code section of the paragraph.

    Figure 5.1. Zeppelin Settings Toolbar


  5. Continue adding commands until you've completed the runbook.

  6. If appropriate, notify the junior analyst about the runbook that he can clone and use.

Examples

The following examples provide sample paragraphs you might want to include in a runbook:

  • Top Talkers - Internal

    This paragraph is static and requires no input from the user.

    Figure 5.2. Zeppelin Top Talkers


  • Flows by hour

    This paragraph is static and requires no input from the user.

    Figure 5.3. Zeppelin Flows By Hour