Using Zeppelin to Create Runbooks

Zeppelin enables data scientists and senior analysts to create workbooks for junior analysts that can be used as runbooks for recreatable investigations. These runbooks can be static, which require no input from the junior analyst, or dynamic, which require the junior analyst to enter or choose information. You can see an example of a static type of notebook in the Metron - YAF Telemetry note. This section provides instructions for creating both kinds of runbooks.

  1. Click Create new note on the welcome page, or click the Notebook menu and choose + Create new note.
  2. Type your commands into the blank paragraph in the new note.
    To make your runbook dynamic, use one or more of the dynamic forms that Zeppelin supports:
    • Text input form

    • Text input form with default value
    • Select form

    • Checkbox form

    When you create a note, it appears in the list of notes on the left side of the home page and in the Notebook menu. By default, Zeppelin stores notes in the $ZEPPELIN_HOME/notebook folder.
  3. Run your new code by clicking the triangle button in the cell that contains your code.
    Zeppelin attempts to run the code and displays the status near the triangle button: PENDING, RUNNING, ERROR, or FINISHED. Zeppelin also displays another empty paragraph so you can add another command.
  4. Continue adding commands until you've completed the runbook.
  5. Choose the appropriate type of visualization for your code results from the settings toolbar below the code section of the paragraph.

  6. If appropriate, notify the junior analyst about the runbook that he can clone and use.
The following examples provide sample paragraphs you might want to include in a runbook:
  • Top Talkers - Internal

    This paragraph is static and requires no input from the user.

  • Flows by hour

    This paragraph is static and requires no input from the user.