Step 3: add panels
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Step 3: add panels
Panels fit within rows and contain the various elements, or panel types, you'll display on your dashboard. A panel can contain one of the following:
- A table
- A chart
- A list
- A single value
- An event listing
- HTML
Add panels to rows
You've added a row to your dashboard in step 2. Now, add panels into those rows. Panels fit within rows, like this:
<dashboard> <label>My dashboard</label> <row> <chart> ... </chart> </row> </dashboard>
This creates a dashboard with a single row, and a single chart within that row.
You can fit up to three panels within a row. There's no limit to how many rows you can have in a dashboard. Here's an example with two rows and three panels within each row:
<dashboard> <label>My dashboard</label> <row> <chart> ... </chart> <table> ... </table> <event> ... </event> </row> <row> <list> ... </list> <single> ... </single> <html> ... </html> </row> </dashboard>
Configure panels
Once you've added the panels you want, you can further customize them by adding a search, configuring options and more.
Add a search
Most panels (chart, table, list, single button, event viewer) are built from a search. The search can be a saved search that runs on a schedule or an inline search that runs when the dashboard loads.
Use a saved search
To add a saved search to your panel, use the searchName attribute, and specify the name of the saved search. For example, this snippet creates a chart that is fed by data from a saved search named "My saved report":
<dashboard> <label>My dashboard</label> <row> <chart> <searchName>My saved report</searchName> </chart> </row> </dashboard>
Saved searches that you use for your panels must be shared with all users and roles who access the dashboard. Any saved search referenced by panels must exist in savedsearches.conf in the app's default or local directory or be shared globally with all apps.
Use an inline search
If you want to create an inline search for your dashboard, you can add it to the dashboard XML with the <searchString> tag. This example creates a chart that is fed data from a search for host=production | top users:
<dashboard>
<label>My dashboard</label>
<row>
<chart>
<searchString>host=production | top users</searchString>
</chart>
</row>
</dashboard>
Note that this method runs your search every time your dashboard is loaded. If you have a long running search or a lot of users accessing this dashboard, using an inline search may create a high load on your Splunk system.
The following options are available to all panels:
title = title
- Add a title to your panel, such as Failed logins. This title display at the top of the panel.
fields = comma separated list of fields
- Restrict your search results to specific fields.
earliestTime = Splunk time format
- Restrict your search results to a specific time window, starting with the earliestTime.
latestTime = Splunk time format
- Restrict your search results to a specific time window, ending with the latestTime.
For example, this chart has a title, is restricted to a specific time window of five hours ago and is restricted to three fields:
<dashboard>
<label>My dashboard</label>
<row>
<chart>
<title>Top users, five hours ago</title>
<searchString>host=production | top users</searchString>
<earliestTime>-10h</earliestTime>
<latestTime>-5h</latestTime>
<fields>host,ip,username</fields>
</chart>
</row>
</dashboard>
Panel specific options
All panels also have specific options that are only available to that panel. These are set within an <option name="$OPTION"> tag. For example, this code snippet changes the height of a chart from the default 180 pixels to 200 pixels:
<dashboard>
<label>My dashboard</label>
<row>
<chart>
<searchName>My saved report</searchName>
<option name="height">200</option>
</chart>
</row>
</dashboard>
Now, pick the panels you want to add to your dashboard and learn how to customize them in the following sections.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.