Build a dashboard
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Build a dashboard
Use dashboards to highlight interesting and useful aspects of your data, link to important searches and display common reports. For example, make a network operations console where you can see an overview of your entire network, find out which machines are down and be notified of any firewall violations. The instructions on this page explain how to build a dashboard using Splunk's simplified XML syntax. If you want to make a dashboard that is more advanced, follow the instructions for how to build an advanced dashboard in this manual.
Each dashboard is made of one or more panels and each panel contains a search and a visual summary of that search. Panels are laid out next to or on top/beneath each other. Panels contain:
- A search or report
- A chart, list or other visualization of the search
For a complete list of all available panels, see the panel reference in this manual. You can also include web resources to your dashboard panels.
Dashboards are built on searches and reports -- saved searches and reports or searches you specify in your dashboard XML configuration. If you specify a saved search in your dashboard, Splunk uses the most recent results from that search. So you can set up a search to run on a schedule and your dashboard will use cached results. Use saved searches if you have a lot of long running searches or you expect a lot of people will be using the same dashboard at the same time. If you'd like your dashboards to display results in real time, build a search string directly into the dashboard.
This topic describes how to build a dashboard using the simple XML.
Create a dashboard
Create a dashboard through Splunk's UI with the visual dashboard editor or Splunk's simplified XML syntax. This syntax is built on the advanced view syntax and supports a limited number of modules. If you want functionality in your dashboard beyond what's listed in this page, use the advanced dashboard syntax. Note that you currently cannot switch between simple and advanced syntax.
via the visual dashboard editor
Create a dashboard via the visual dashboard editor in Splunk Web. To begin, select the Actions menu in the upper left corner of Splunk Web:
Then, follow the instructions in the visual dashboard editor. Drag and drop any panels you create above, below or next to each other.
To read more about the visual dashboard editor, see "creating simple dashboards" in the User Manual.
via XML
Create simple dashboards without using the visual dashboard editor with Splunk's simplified XML. You can create simplifed XML dashboards through Splunk Manager or Splunk's file system.
in Splunk Manager
1. Navigate to Manager.
2. Click Views.
3. Select the New button to create a new view, or click on an existing dashboard to edit it.
4. Follow the instructions on the new view page and enter XML in the format described below.
For example, if you want to add a view to the Search App, navigate to the Search App in Splunk Web and then click the Manager link in the upper right-hand corner, then click Views. You'll see a list of existing views, which you can clone if you want to copy and make changes to an existing view. To create an entirely new view, click New.
in Splunk's file system
1. Copy your XML directly into your App via the file system.
2. Make sure your dashboard's XML file goes in $SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/views/.
XML configuration
Once you've created a file for your dashboard, add XML to structure the dashboard. Start by creating a dashboard element and setting a label attribute. The label shows up in the drop-down menu in Splunk Web. Dashboard names can contain spaces, alphanumeric characters, underscores or dashes.
This example creates an empty dashboard page, which has the standard Splunk header, navigation and a label of "My dashboard":
<dashboard>
<label>My dashboard</label>
</dashboard>
Set the refresh rate for the entire dashboard by adding a refresh="<seconds>" attribute:
<dashboard refresh="30">
<label>My dashboard</label>
</dashboard>
Now you're ready to add content to your dashboard by creating rows and panels.
Add dashboard elements
Dashboards are built out of rows which are in turn made up of up to 3 panels. Start your XML by adding a single row, which can accommodate one or more panels. Pick the panels you want from the panel reference in this manual.
<dashboard>
<label>My dashboard</label>
<row>
PANELS GO HERE
</row>
<row>
MORE PANELS GO HERE
</row>
</dashboard>
Examples
multiple panels
Add more panels to the same row. This example displays three panels side-by-side:
<dashboard>
<label>My dashboard</label>
<row>
<table>
<searchName>my errors</searchName>
</table>
<table>
<searchName>your possible errors</searchName>
</table>
<table>
<searchName>their definite errors</searchName>
</table>
</row>
</dashboard>
Or spread your panels across multiple rows. This example puts one panel in its own row and two panels in one other row:
<dashboard>
<label>My dashboard</label>
<row>
<table>
<searchName>my errors</searchName>
</table>
</row>
<row>
<table>
<searchName>your possible errors</searchName>
</table>
<table>
<searchName>their definite errors</searchName>
</table>
</row>
</dashboard>
Group panels within a row under the same heading. Multiple panels within a row can also be grouped by adding a grouping attribute to the row node. The following example places your possible errors and their definite errors under the same group heading:
<dashboard>
<label>My dashboard</label>
<row>
<table>
<searchName>my errors</searchName>
</table>
</row>
<row grouping="2">
<table>
<searchName>your possible errors</searchName>
</table>
<table>
<searchName>their definite errors</searchName>
</table>
</row>
</dashboard>
You can further group panels on the left or right sides within a single row. The following with create a single row of panels, with 3 tables in the left group and 2 tables in the right:
<dashboard>
<label>My dashboard</label>
<row grouping="3,2">
<table>
<searchName>my errors</searchName>
</table>
<table>
<searchName>your possible errors</searchName>
</table>
<table>
<searchName>their definite errors</searchName>
</table>
<table>
<searchName>known unknown errors</searchName>
</table>
<table>
<searchName>unknown unknown errors</searchName>
</table>
</row>
</dashboard>
search options
All of the previous examples use a simple table panel and a saved search. But there are more options for specifying searches in a panel.
Specify an inline search. For example:
<table>
<searchString>search foo this | timechart that</searchString>
<earliestTime>-20h</earliestTime>
<latestTime>-2h</latestTime>
</table>
Restrict your saved search output by field:
<table>
<searchName>Errors in the last 24 hours</searchName>
<fields>host, source, errorNumber</fields>
</table>
Add a title to the panel:
<table>
<title>Look here for errors that you need to care about</title>
<searchName>Errors in the last 24 hours</searchName>
<fields>host, source, errorNumber</fields>
</table>
Set display options for your panel. For example:
<table>
<title>Look here for errors that you need to care about</title>
<searchName>Errors in the last 24 hours</searchName>
<fields>host, source, errorNumber</fields>
<option name="count">25</option>
<option name="displayRowNumbers">true</option>
</table>
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.