Create a dashboard with the visual editor
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Create a dashboard with the visual editor
You can embed your searches in a dashboard -- a custom view in Splunk Web. Dashboards show visualizations of your data such as charts and graphs and are extremely useful for displaying the results of reports and searches. Internally, Splunk dashboards are created in XML, a markup language designed to structure and store information. There are three ways to create and edit dashboards:
- Use the visual dashboard editor, which provides a basic set of options and formats for dashboards. See Create simple dashboards with the visual dashboard editor in the User manual for more information.
- Use a simplified version of Splunk's underlying XML ("simple XML"). This gives more flexibility and a range of options that is sufficient for most users, but requires you to use a simple version of XML. See Dashboards: an introduction in the Developer manual for more information.
- Use the full XML syntax ("advanced XML"). See Introduction to advanced views in the Developer manual for more information.
This topic shows how to start a dashboard using the visual editor. A later topic will show how to use the simple XML to fine-tune the dashboard.
Add a chart panel
A dashboard is made up of panels. Each panel contains a dashboard module, such as a search box, a chart, or a form. To build a dashboard, you add, configure, and position panels, and specify the searches the panels use. Start by adding a single panel and seeing what you get.
1. From the Search app, select Create new dashboard... from the Actions menu.
2. Enter business_metrics for the ID and Business Metrics for the Name, then click Create.
3. Click Edit the dashboard.
4. Select Chart as the Panel type and enter Average Duration by Activity for the Title.
5. Click on the Saved Search menu to see a list of saved searches you can use for the chart. In this example, you would select Average Duration by Activity.
6. Click Add Panel. The Edit window expands to show the Panel layout.
7. Click Close to view the dashboard.
Explore the chart panel
Right now, this dashboard has a single panel that displays a chart based on the search you specified. It is formatted with the following chart default features:
- For a timechart, the default displays _time on the X-axis.
- By default, charts display in column format, with the columns side-by-side. You can change this format using reporting commands in the search, or via the simple XML.
There are some less obvious features that are also provided automatically:
- View results
- Hover
- Drilldown
View results
The panel automatically displays a View results link.
Clicking on View results displays the actual results of the underlying search:
Hover over the chart
Hovering over a specific location on the chart shows a pop-up with details.
Drill down into the chart
The drilldown feature, introduced in 4.1, gives you different ways to look at your results by generating an in-depth search based on the search in your dashboard. See Understand basic table and chart drilldown actions in the User Manual for more information.
For version 4.1 and higher, click on a specific location on the chart to drill down into the underlying events.
Compare the following two searches:
Embedded search set when you created the dashboard and shown when you click View results:
eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | timechart span="1m" avg(duration) by activity usenull="f"Drilldown search generated by clicking on a point on the chart:
eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | search activity="ActivateSubscriber"Drilldown both removes and adds components of your search. In this example:
- First, it removes the reporting command which aggregates the results, and gone back to the original search. That is, it has removed the timechart command that computes the average over time.
- Second, it looks at the
span="1m"and set a custom time based on that time interval. - Finally, it looks at the
by activityinformation from the timechart command and used that to create a new search term that focuses in only on the subset of results that match the activity you clicked on. That is, if you click on ActivateSubscriber, drilldown shows only the transactions in that time frame that have ActivateSubscriber in the activity field.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.