Dashboard customization

Dashboard customization

Dashboards are landing pages in Splunk Web. By default, Splunk displays dashboards set in $SPLUNK_HOME/etc/system/default/prefs.conf. Dashboards are set on a per user basis. Users can add:

• Saved searches on dashboards.
• Reports on dashboards.

You can make your own dashboard via Splunk Web. However, if you want to customize your dashboard layout, edit the prefs.conf configuration file. Before editing configuration files, read more about how configuration files work.

For custom dashboard examples, please see this section of the Dev Wiki.

Configuration

Set up a new dashboard by configuring modules. Modules are made up of searches or html and appear in separate areas of Splunk Web. Configure new dashboards and modules in $SPLUNK_HOME/etc/system/local/prefs.conf (or your own application directory).

The configuration steps are:

1. List the modules for the dashboard.

2. Add search modules.

3. Add html modules.

4. Attach your dashboard to a user.

List modules

List all the modules you've created for a dashboard. You must put this list first, before you define the modules. You can always come back and add module names to the list.

dashboard_customList = <comma separated list of module names>

• Define custom modules in dashboard_customList_<MODULE_NAME>_searches and dashboard_customList_<MODULE_NAME>_text (below).
• Note: You must list all modules for your dashboard here and then define each module below. The MODULE_NAME(s) must match.
  • For example, if you have dashboard_customList = foo then you must also have dashboard_customList_foo_searches = <any valid search> or dashboard_customList_foo_text = <any valid html>.
• Add a $+ at the end of your list of module names if you want to append to existing lists.
  • If you leave off the $+, you will obscure any other custom lists that exist in the system.

Example

Here's an example from the Twiki dashboard:

dashboard_customList = Twiki activity last 7 days,Twiki activity last 24 hours,TwikiIntro,Twiki saved searches,$+

This makes all the named search modules (and any other search modules) available to the dashboard.

Add search modules

Search modules are lists of links to customized searches. Clicking a link runs the specified search.

To add a search module to your dashboard, use the following attribute/value pairs:

dashboard_customList_<MODULE_NAME>_searches = <any validly formatted search>
dashboard_customList_<MODULE_NAME>_labels = <optionally label your searches>

You can specify any number of these pairs as long as the MODULE_NAME is different for each pair.

dashboard_customList_<MODULE_NAME>_searches = <any validly formatted search>

• Set a search to appear in your dashboard.
• Note: You must also use the *_labels attribute (below).

dashboard_customList_<MODULE_NAME>_labels = <label your searches>

• Add a label to your searches.
• Note: You must use this attribute if you are using *_searches. If you don't want to label your searches, put this attribute in but leave the value blank.

Example

Here's more from the Twiki dashboard:

dashboard_customList_Twiki_saved_searches_searches = ['| admin mysavedsearches | where stanza LIKE 
"Twiki%" | rename stanza as name query as term | sort name']
dashboard_customList_Twiki_saved_searches_labels =

This displays all the results from this saved search on your dashboard. Splunk will split the rendering up into 2 and 3 columns past certain thresholds of search results.

Format searches

Searches you add to your dashboard must be validly formatted. First, you must know what metadata you are interested in pulling out of your events and displaying on the dashboard. Once you've determined the data you're interested in displaying, create a search that extracts this information. This means you must pipe your search through the following search commands to properly display your list of searches. For more information on search commands, see the User Manual search command reference.

Required fields

Include these commands (in the order listed) to properly display and link to your searches.

• termkey="<field_name>"
  • <field_name> is a literal string that becomes the field name in the search.
  • For example termkey="client_ip" becomes the search client_ip=* when you click on the link.
• term=<value>
  • <value> becomes the field value in the search.
  • For example term="host=foo" becomes the search host=foo when you click on the link.
• rename <field> as name
  • <field> is the field you want to display in the list.
  • For example rename source as name will list a source (such as /var/log/messages) on your dashboard.
• rename count as rowCount
  • Lets you display a count of search results next to the link.
  • Use count (or other stats command, such as topCount).
  • This is an optional setting, and is only useful if your search generates a count of events.
• Sort 15 + | - <field_name> lets you sort ascending or descending order and limit your search to 15 results.

Note: Due to hard-coded Splunk Web display limitations, you can only display 15 items. Your search must limit its outcome to 15. Use top or sort to display only 15 results.

Example

The following example is the default dashboard display of all indexed data. Note that each search is piped through termkey, term, name and count.

For more examples, see the custom dashboard page on the wiki.

dashboard_customList_All_indexed_data_searches = [

This part defines the search that extracts information about sources:

'| metadata type=sources | tags | rename tag::source as tags | eval termkey="source" | eval term=source | rename source AS name totalCount as 
rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort 15 -rowCount',

This part defines the search that extracts information about sourcetypes:

'| metadata type=sourcetypes | eval termkey="sourcetype" | eval term=sourcetype | rename sourcetype AS name totalCount as rowCount | fields 
name,term,termkey,rowCount,fullCount,tags | sort 15 -rowCount',

This part defines the search that extracts information about hosts:

'| metadata type=hosts | tags | rename tag::host as tags | eval termkey="host" | eval term=host | rename host AS name totalCount AS rowCount | 
fields name,term,termkey,rowCount,fullCount,tags | sort 15 -rowCount'] 

This part sets up labels for each list of links to search results:

dashboard_customList_All_indexed_data_labels = Sources, Sourcetypes, Hosts

This displays in Splunk Web as:

Add text modules

Add a module with your own text.

Refer to the following example of a text module called "Hello World":

dashboard_customList = Hello World,$+

dashboard_customList_Hello_World = \
I'm here to say Hello World! \

• Any valid text.
• IMPORTANT: Each line of text must end with a \ to mark a newline (no spaces, or other characters).
• Exact case and whitespace match is important.

Add html modules

Add a module with your own html.

To add an html module to your dashboard, use the following attribute/value pairs:

dashboard_customList_<MODULE_NAME>_text = <html>

dashboard_customList_<MODULE_NAME>_text = <html>

• Any valid html/text.
• Use the *_text attribute instead of *_searches and *_labels.
• IMPORTANT: Each line of text must end with a \ to mark a newline (no spaces, or other characters).

Example

Create a user-specific dashboard

Dashboards can be linked to specific users. This means the configured dashboard shows up in the drop-down dashboard selector in Splunk Web only for the specified user.

Set the following attribute/value pairs in $SPLUNK_HOME/etc/system/local/prefs.conf (or your own custom application directory):

[user:<USER>]
dashboardset_<name> = <comma separated list of saved searches and/or modules>
dashboard_activeset = <name>

[user:<USER>]

• Optional.
• Set which user this dashboard is for.
• Any valid user in Splunk.
• This dashboard only appears in the drop-down for the specified user.
• Note: If you want your dashboard to be accessible to any user, omit this line.

dashboardset_<name> = <comma separated list of saved searches and/or modules>

• Add saved searches or custom list modules to your dashboard.
• Saved searches can be reports -- in this case, they appear as charts/graphs (as specified in the saved search).
• Custom list modules are defined via dashboard_customList and its dependent attributes (see above).

dashboard_activeset = <name>

• Name your dashboard. The name appears in the dashboard drop-down in Splunk Web.
• Note: You can prevent users from changing their default dashboard on a role basis via web.conf.

Example

This example limits the Twiki dashboard to the user penelope. It also sets a name for the dashboard as "Twiki."

[user:penelope]
dashboardset_twiki = TwikiIntro,Twiki saved searches,Twiki activity last 24 hours,Twiki activity last 7 days,Users editing in the last 24 hours,Pages edited in the last 24 hours
dashboard_activeset = Twiki

Create shared dashboards

You can also declare a dashboard globally, outside any user stanza, to make the dashboard accessible to any Splunk user. Web-interface user changes to the dashboard will create a user-local copy of the global dashboard with the changes applied.

Lock dashboards for roles

You can configure web.conf to prevent users from creating and saving new dashboards in a persistent way. This will also prevent them from making persistent changes to dashboards.

In $SPLUNK_HOME/etc/system/local/web.conf add the following:

disablePersistedPrefs = <role>

• Specify a role.
• Users in the specified role can still make changes to Splunk Web through the preferences configuration page, but their changes will not be persisted across sessions.

Mask default dashboards

You can mask all the dashboards in $SPLUNK_HOME/etc/system/default/prefs.conf with the following configuration. This means dashboards won't show up in Splunk Web and are not available in the dashboard drop-down in Splunk Web.

Add the following to prefs.conf in $SPLUNK_HOME/etc/system/local/ (or your own custom application directory):

dashboardset_getting_started = SPLUNK-DELETED-DASHBOARD
dashboardset_admin = SPLUNK-DELETED-DASHBOARD
dashboardset_main = SPLUNK-DELETED-DASHBOARD
dashboard_activeset = test
dashboardset_test = null
dashboard_intro_getting_started = 

You can set this for a specific user, or you can put this at the top of the configuration file to set for all users.

This example masks all default dashboards. Users will be presented with a blank screen upon login. Users can then customize their individual dashboards.

• Was this topic useful?
• Post a comment