Dashboard example
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Dashboard example
This section contains an example of a dashboard configuration, using the simplified XML. For more examples, download the UI examples app from Splunkbase.
Start off your dashboard with the dashboard tag and label:
<dashboard> <label>Dashboard example 1 - Intro</label>
First row: tables and charts
Then, add the first row of the dashboard. The first panel executes an inline search using <searchString> and displays results as a table. The second panel accesses results from a saved search and displays the results as a chart:
<row>
<table>
<title>high CPU processors</title>
<searchString>index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) over processor | sort -sum(cpu_seconds) | rename sum(cpu_seconds) as "Total CPU Seconds"</searchString>
<earliestTime>-60m</earliestTime>
<latestTime>now</latestTime>
<option name="showPager">true</option>
</table>
<chart>
<title>high CPU processors</title>
<searchName>Pipeline processors with most processor time</searchName>
<option name="height">400px</option>
</chart>
</row>
Second row: HTML
Then, add the second row of the dashboard. The only panel in this row is inline HTML.
<row>
<html>
<h2>Processor highlights, last 60 minutes. </h2>
<p>
These 'single' panels can be configured to be in different colors depending on conditions in the output (we have not done so here).
</p>
</html>
</row>
Third row: single value
Here's the third row of the dashboard. The panels in this row are all single value panels. The panels are grouped as two single values, three and then one.
<row grouping="2,3,1">
<single>
<searchString>index="_internal" source="*metrics.log" group="pipeline" | stats dc(processor)</searchString>
<earliestTime>-60m</earliestTime>
<option name="afterLabel">active processors</option>
</single>
<single>
<searchString>index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) over processor | rename sum(cpu_seconds) as TotalCPUseconds | search TotalCPUseconds>=1 | stats count</searchString>
<earliestTime>-60m</earliestTime>
<option name="afterLabel">processors have > 1 CPU second</option>
</single>
<single>
<searchString>index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) over processor | rename sum(cpu_seconds) as TotalCPUseconds | sort 1 -TotalCPUseconds | fields processor</searchString>
<earliestTime>-60m</earliestTime>
<option name="beforeLabel">"</option>
<option name="afterLabel">" is the most active processor</option>
</single>
<single>
<searchString>index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) sum(executes) over processor | rename sum(cpu_seconds) as TotalCPUseconds | sort 1 -TotalCPUseconds | fields sum(executes)</searchString>
<earliestTime>-60m</earliestTime>
<option name="beforeLabel">with</option>
<option name="afterLabel">executes</option>
</single>
<single>
<searchString>index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) sum(executes) over processor | rename sum(cpu_seconds) as TotalCPUseconds sum(executes) as total_executes | sort 1 -TotalCPUseconds | eval ms_per_execute=1000*TotalCPUseconds/total_executes | fields ms_per_execute</searchString>
<earliestTime>-60m</earliestTime>
<option name="beforeLabel">and</option>
<option name="afterLabel">ms per execute</option>
</single>
<single>
<searchString>index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) | rename sum(cpu_seconds) as TotalCPUseconds | fields TotalCPUseconds</searchString>
<earliestTime>-60m</earliestTime>
<option name="beforeLabel">Total pipeline CPU time is</option>
<option name="afterLabel">seconds</option>
</single>
</row>
</dashboard>
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 , 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.