Saved searches and dashboards
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Saved searches and dashboards
Before you get started building a dashboard, you may want to build some saved searches. Familiarize yourself with Splunk's search language, create some searches that highlight the important aspects of your data and then integrate them into your dashboards. Saved searches are the most common developer configuration -- use them as a shortcut to common searches. Dashboards help you highlight saved searches in the form of charts, graphs and links. So figure out what your users are trying to do, and how you can facilitate their goals with saved searches. Then, add your saved searches to your dashboards. For example, if you're building a dashboard to highlight your site's Web traffic, make saved searches following referrer URIs, tracking download stats and showcasing other data available in your web logs.
Build searches
If you've never worked with Splunk's search language before, read the User Manual section on how to search and investigate. Build your searches to highlight the most relevant aspects of your data and support your user's end goals. So if you're building a helpdesk dashboard, figure out what your helpdesk team will need to get out of your dashboard. Then build searches that collect this information and present it to them in a useful way. Searches can contain statistical information rendered as charts and graphs, or just present a list of matching events.
Save searches
Once you've decided what you want your searches to look like, save them to run again. You can save searches from Splunk Web or within Splunk Manager, or create a savedsearches.conf in your app's directory. When building a dashboard, the best way to create a saved search is through Splunk Manager, within the same app as the dashboard you're building. That way, your search is contained within your app, and you can set permissions correctly so that app users can see the search.
When you first create a saved search via Splunk Manager (or Splunk Web) it is added to your user directory in $SPLUNK_HOME/etc/users/. Saved searches belong to an app when they are in that app's directory (specifically in $SPLUNK_HOME/etc/apps/<app_name>/default/savedsearches.conf).
To share a saved search with all app users, or to add it to the app namespace, set permissions on that search:
1. Navigate to the Searches and reports page in your app in Splunk Manager.
2. Locate your saved search in the list view and click the Permissions link next to it.
3. Click the box to Share saved search. This moves the search from your user directory to the app's directory.
4. Optionally set read/write permissions for users in the access control list. Make sure everyone who will be using your dashboard has read permission for any searches shared in that dashboard.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.