Documentation > Splunk > Developing Dashboards, Views, and Apps for Splunk Web > How to build a real-time dashboard

Developing Dashboards, Views, and Apps for Splunk Web

 


Overview
Build dashboards
Build forms
Build advanced views
Customize Splunk Web
Build apps
Extend Splunk
View reference material
Custom charting configuration reference

How to build a real-time dashboard

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

How to build a real-time dashboard

You can use Splunk's new real-time reporting capability to show streaming results in your dashboards. First, construct a real time search, as described in the real-time search and reporting topic in the User Manual. You can save this search and add it to your dashboard using the HiddenSavedSearch module.

To enable real-time on your dashboard, add the EnablePreview module to your view XML. For example: 

...
<module name="EnablePreview">
  <param name="enable">true</param>
  <param name="display">false</param>
...

If you're building an inline search with the HiddenSearch module, you can specify a sliding window for real-time results by setting the earliest and latest params on your HiddenSearch module. For example, the following sets a 5 minute window, therefore showing streaming results from the most recent 5 minutes: 

...
<module name="HiddenSearch" autoRun="True">
  <param name="search">host=foo OR bar | top IP</param>
  <param name="earliest">rt-5m</param>
  <param name="latest">rt</param>
...

Example

Here is a complete example. Notice that this example sets the real-time window to 30 seconds. 

<?xml version="1.0"?>
<view template="dashboard.html">
  <label>Real time example</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>

  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="GenericHeader" layoutPanel="panel_row1_col1" autoRun="True">
    <param name="label">My real time search</param>
      <module name="HiddenSearch" autoRun="True">
        <param name="search">host=foo OR bar | top IP</param>
        <param name="earliest">rt-30s</param>
        <param name="latest">rt</param>
          <module name="EnablePreview">
            <param name="enable">true</param>
            <param name="display">false</param>
              <module name="HiddenChartFormatter">
                <param name="chart">area</param>
                <param name="primaryAxisTitle.text">Time</param>
                <param name="chart.stackMode">default</param>
                <param name="secondaryAxisTitle.text">Count</param>
                  <module name="FlashChart">
                    <param name="width">100%</param>
                    <param name="height">250px</param>
                  </module>
                  <module name="ViewRedirectorLink">
                    <param name="viewTarget">flashtimeline</param>
                    <param name="label">View results</param>
                  </module>
               </module>
            </module>
      </module>
  </module>
</view>
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/Developer/RealTimeDashboard"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!