Splunk® Enterprise

User Manual

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Create simple dashboards with the visual dashboard editor

Splunk's visual dashboard editor enables you to create simple dashboards quickly without touching the XML behind it. All you need to get going is a set of saved searches and saved reports that Splunk can use to populate dashboard panels with useful metrics and charts.

Note: The visual dashboard editor is great for getting simple but functional dashboards up and ready for use in a matter of minutes. However, you can create more complex dashboards that offer features unavailable through the visual dashboard editor. For more information, see the "Build dashboards" section of the Developer manual.

Starting out

1. Open the Actions drop-down list and click Create new dashboard....

2. Name your new dashboard. Designate a unique ID for it and give it the Name that it will be identified by in the top-level navigation menu.

3. Click Create to create your new dashboard.

4. When your new dashboard appears, it is empty. To start defining panels for it, click Edit the dashboard to open the visual dashboard editor.

Create your first panel

In the visual dashboard editor, start by choosing a Panel type. The visual dashboard editor enables you to create four types of dashboard panels: data tables, charts, event lists, and single value panels. (There are two other panel types--list panels and HTML panels--that you can only create by working directly with the simple XML for the dashboard.)

The data table panel type

The Data table panel type presents report results in tabular format:

Visdash datatable.png

The chart panel type

The Chart panel type displays report results as a chart.

Visdash chart.png

Now, if you want the stacked area chart panel shown here to display as a line chart instead, you have two options:

Important Note: Be aware that the chart panel type takes its default chart formatting parameters from the saved report that feeds it. For example, say you have a saved report that is designed to appear as a column chart. If you use this saved report in a chart panel, the chart panel will display a column chart by default.

It's also important to understand that a straightforward search without a transforming command will not show you any useful data when it is set up as a chart panel. The simple search index=_internal just returns a list of events that can't be represented in chart form. However, the search index=_internal | timechart count span=1h returns hourly totals of events, which can easily be represented as a bar, column, line, or area chart.

It may be helpful to think of things this way: if the data returned by the search can be represented as a table (rather than just a list of events) it can likely be turned into a chart of some kind. For more information about this, see the subtopic on "Chart data structure requirements" in this manual.

The single value panel type

The Single value panel type displays a single numerical value as its result. For example, you could connect this to a search that returns the total number of 404 errors in your server over the past hour, or which displays the average access delay for a webserver. The panel retrieves the value from the first field in the first result.

Visdash singlevalue.png

Note: You can set single value panels to appear green, yellow, or red depending on the value they display. To do this you need to work with the XML behind the panel. You can find instructions in "Add a single value" in the Developer manual.

The event listing panel type

The Event listing panel type displays a listing of events returned by a search. This panel type is good for searches for particularly rare kinds of events, such as events that contain a significant but uncommon error message.

Visdash eventlisting.png

Enter a name for the panel and then select a saved search or report to associate with it. Click Add panel to add your new panel to the Panel layout section.

Note: We recommend that you design your dashboard panels to use scheduled searches whenever possible, especially if you expect them to have a significant number of users. When you use a scheduled search to populate a dashboard panel, Splunk just retrieves the data associated with the last scheduled run of that search when the dashboard is refreshed. This impacts system performance far less than if you have it rerun all of the dashboard reports from scratch at each refresh, and it helps you avoid situations where too many reports are being run concurrently by multiple users.

For more information about defining scheduled searches, see "Schedule saved searches" in this manual.

Set up the dashboard panel layout

Create additional panels using the same method as the first one. As they appear in the Panel layout section, you can click their titles and drag them to adjust their arrangement in the dashboard.

The visual dashboard editor enables you to set up dashboards with rows of one to three panels. By default Splunk sets these up so that each panel in a row has an equivalent width, but the panel height can differ depending on the panel type and the information the panel is displaying.

Note: At current, the maximum number of panels per row is three. This limitation will be removed in an upcoming release.

Here are a few guidelines that you might want to follow when creating dashboard layouts with groups of panels.

  • Because single value panels are small, they appear best when arranged in rows of three. They display too much white space when arranged in rows of one or two.
  • Event listing panels display best in single panel rows, because they display lines of event data that would otherwise need to be seen via a horizontal scroll bar.
  • Data table panels and chart panels work best in rows of one or two panels. You can mix table and chart panels together on the same row, but data table panels can vary in height depending on the length of the tables populating them (consider having the searches that feed them return only the top or last five values).

Here's an example of a dashboard layout that uses the above guidelines. Note that the top row contains three single value panels, the middle row has just one event listing panel, and the bottom row has a chart panel and data table panel, respectively.

Visdash panellayout.png

Note: Most of these display issues can be dealt with by simple adjustments to the XML behind the dashboard. You can add paging controls for long data table panel types, group panels together under the same heading, change chart formatting parameters, and more. You can access the XML by clicking Edit Name/XML at the bottom of the visual dashboard editor window. For more information about editing XML for dashboards created with the visual dashboard editor, see "Panel reference for simple XML" in the Developer manual.

Change the dashboard name or XML configuration

Select Edit name/XML to edit the dashboard name and the simple XML behind the dashboard. For more information about editing XML for dashboards created with the visual dashboard editor, see the "Build dashboards" chapter in the Developer manual.

Change dashboard permissions

Select Edit permissions to expand or restrict the role-based read and write permissions for the dashboard. When you set dashboard permissions you can also define the app availability of the app. The dashboard can be:

  • A private view available only to yourself.
  • Available to one app only (the app it was designed in) and the people who have permission to use it.
  • "Globally" available to all Splunk apps in your system (and therefore all of your Splunk users).

Set up or update individual dashboard panels

You can use the visual dashboard editor to define aspects of individual panels. To do this, click Edit panel on a panel that has been added to the Panel layout section of the editor. The Edit panel window appears for that panel. You can use this window to:

  • Update the Panel style and Title.
  • Select basic table and chart drilldown options for dashboard panels.
  • Add inline search strings to dashboard panels.

Edit panel example.png

Define simple table or chart drilldown options for dashboard panels

All data table and chart panel types can have "drilldown" functionality, where you click on the table or chart to set off a search that drills down on a particular aspect of that table or chart. For example, the panel being defined in the above example of the Edit panel window might create a table that looks like this:

referrer count
http://prettypwnny.com 243
http://deepthaduke.com 65

If this table is set up for row drilldown, when you click on the first row of the panel, Splunk will move to the Search view and run the following search:

search sourcetype=apache 404 referrer="http://prettypwnny.com"

....which provides detail information on the 404 error events associated with the PrettyPwnny referrer over the specified search duration.

Data table panel types have three drilldown options under Drilldown. They are:

  • None, which turns off the drilldown functionality for the table.
  • Row, which means that a click on a row sets off a search across the x-axis value represented by that row. For example, if the row represents a specific period of time, then a click on that row sets off a search that is identical to the search that generated the chart, except that it only covers the time range that the row represents.
  • Cell, which sets off a search that is restricted to the x-axis value (the row) and the y-axis value (the column) represented by the cell, when the originating search includes a "split by" clause.
For example, you could use a cell-click in a table resulting from a "timechart count by clientip" search, where the columns are values of clientip, like The resulting search displays a histogram that shows when those events occurred during that period.

Note: Data table panels are set to the Row click type by default when they are created.

Chart panels have two drilldown options under Drilldown. They are:

  • Off, which turns off the drilldown functionality for the chart.
  • On, which lets you drill down on a particular part of a chart or legend by clicking on it. For example, when you click on a particular bar of a bar chart, Splunk runs a search (based on the original search used to generate the bar chart) that covers only the block of time represented by that bar.

Note: Chart panels have their drilldown value set to On by default when they are created.

For more information about how table and chart drilldown actions actually work, see "Understand basic table and chart drilldown actions" in this manual.

You can specify much more complex drilldown actions for tables when you design them using advanced XML. For more information about designing drilldown actions for dashboards and views see the Developer manual.

Define searches for dashboard panels

All dashboard panels are associated with searches. You can determine whether a panel runs off of a predefined, saved search, or whether it uses a search that has been specifically designed for the panel and associated with it in an "inline" manner.

In the Search command section, select either Saved search or Inline search string.

  • If you select Saved search you can select a saved search for the panel from a list of all of the saved searches that are associated with dashboard's parent app (the app you are in when you edit the dashboard). The dashboard will run this search for the panel every time you open it or refresh it.
  • If you select Inline search string you can define a search string that is specific to this panel. Specify the inline search time range by placing relative time modifiers in the Earliest time and Latest time fields.

Note: Keep in mind that the visual dashboard editor does not enable you to set up the formatting parameters for chart panels. If you design a chart panel with an inline search and find that you want to adjust the chart formatting, you have to edit the simple XML behind the dashboard.

Editing dashboards created with the visual dashboard editor

You can edit any dashboard that was created with the visual dashboard editor (or which uses simple XML) by bringing up the dashboard and then clicking on Edit dashboard... in the Actions menu. The visual dashboard editor appears.

Managing dashboard navigation

Because dashboards are a type of view, by default any new dashboard you create will appear in the View drop-down list in the top-level navigation menu. You can edit the XML behind the navigation menu to:

  • Change the the location of your unclassified dashboards. You can move dashboards to existing lists (or "view collections") in the navigation menu, or create new lists for them.
  • Create nested collections (view collections within navigation bar lists) that classify similar dashboards together. For example, under your Dashboards dropdown, you could have a "Web Server" collection that groups together a set of dashboards that display different kinds of firewall information for your web server.

Note: Navigation is managed on an app by app basis. If your dashboard has been promoted globally to all of the apps in your system, it initially appears in the default drop-down list for "unclassified" views in those apps' top-level navigation menus. Users with write permissions for those apps can move the dashboard to its proper location in the app navigation menus as appropriate.

For an overview of navigantion menu management see "Define navigation for saved searches and reports" in the Knowledge Manager manual.

If you have write permissions for your app, you can access its navigation menu XML by opening Manager, clicking Navigation Menus, and then clicking the name of the navigation menu for your app. See the "Build navigation for your app" topic in the Developer manual for details about working with the navigation menu code.

Use report-rich dashboards and views
Schedule delivery of dashboard PDF printouts via email

This documentation applies to the following versions of Splunk® Enterprise: 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8 View the Article History for its revisions.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters