Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add a single value and gauges

The single value panel displays a single value from search data as text on button. If you base the visualization on a real-time search that returns a single value, the number displayed changes as the search interprets incoming data.

You can also specify single values as gauges, as described below.

Note: The single value visualization is best used with a search that returns a single value. If your search specifies multiple values, the single value visualization takes its number from the first row or first column of the search data.

You can change the color of the button depending on the value of the number it displays, creating a green/yellow/red visualization.

Configure a single value panel

The following example shows how to add a single value to a dashboard, recording the total number of logging events. It also displays text before and after the displayed value.

<dashboard>
 <label>My dashboard</label>
  <row>
    <single>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="afterLabel">total logging events</option>
      <option name="beforeLabel">Found</option>
    </single>
  </row>
</dashboard>

Set the color of returned values

You can change the color displayed in the single value panel depending on the values returned from the search. To change colors on your single results panel do the following:

  • Set up your search to use the rangemap command.
  • Add the classField option, setting the value to range.

Here is the same single value panel in the previous example, but setting color ranges for green, yellow, and red.

<dashboard>
 <label>My dashboard</label>
  <row>
    <single>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
          | rangemap field=log_events low=1-100 elevated=101-300 default=severe
      </searchString>
      <title>Log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="classField">range</option>
      <option name="afterLabel">total logging events</option>
      <option name="beforeLabel">Found</option>
    </single>
  </row>
</dashboard>

Configure button specific options

For basic configuration of single value panels, refer to the "Single value panel entry" in the Panel reference for Simplified XML.

Panels displaying gauges

Gauge visualizations map a single numerical value against a range of colors that may have particular business meaning or logic. As the value changes over time, the gauge marker changes position within this range. Gauges provide a dynamic visualization for real-time searches – the fluctuating returned values cause the gauge marker to visibly bounce back and forth within the range.

Splunk provides three types of gauge visualizations: radial, filler, and marker. For more information, see "Gauges" in the Splunk Visualizaton Reference.

Gauges are a type of chart visualization. You use the <option> tag to specify the type of gauge. Gauges by default are displayed with a rich set of graphics (shiny). You can specify a minimal version of a gauge, which uses less graphics.

The following example illustrates all three gauges in a row on a dashboard. The first gauge is a radial gauge that displays minimal graphics. The others use the default shiny graphics. The gauges in this example use the same search for logging events that was used for a single value panel above. Typically, you use a real-time search for gauges.

<dashboard>
  <label>Gauges</label>
  <row>
    <chart>
      <option name="charting.chart">radialGauge</option>
      <option name="charting.chart.style">minimal</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
    </chart>

    <chart>
      <option name="charting.chart">fillerGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
    </chart>

    <chart>
      <option name="charting.chart">markerGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
    </chart>    
  </row>
</dashboard>
PREVIOUS
Add HTML
  NEXT
Add an event listing

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters