Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Dashboard example

This dashboard example contains several rows illustrating various panels you can create with SimplifiedXML.

Note: Because this dashboard illustrates grouping of panels, you cannot edit this dashboard in the Splunk Dashboard Editor.

First row

  • HTML panel Displays a basic message and lists a few links to saved searches.
  • Table panel Displays high CPU usage in the past hour, specifying 10 rows of data, no row numbers, and overlaying a heat map to highlight high values.
  • Event panel Displays results of a saved search as a listing of events. Displays 5 rows of results at a time, and wrapping of events is off.
<dashboard>
  <label>Dashboard example</label>
  <row>

    <html>
      <p>This is an <i><b>HTML panel</b></i> providing links to saved searches.</p>
      <ul>
        <li><a href = "@go?s=Errors in the last 24 hours">Errors in the last 24 hours</a></li>
        <li><a href = "@go?s=My second search">Errors in the last hour</a></li>
        <li><a href = "@go?s=My second search">Splunk errors last 24 hours</a></li>
       </ul>
    </html>

    <table>
      <title>High CPU processors in the last hour</title>
      <searchString>
          index="_internal" source="*metrics.log" group="pipeline" 
          | chart sum(cpu_seconds) over processor 
          | sort -sum(cpu_seconds) | rename sum(cpu_seconds) as "Total CPU Seconds"
       </searchString>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">10</option>
      <option name="dataOverlayMode">heatmap</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>
    </table>

    <event>
      <searchName>Errors in the last 24 hours</searchName>
      <title>Errors in the last 24 hours</title>
      <option name="count">5</option>
      <option name="displayRowNumbers">true</option>
      <option name="maxLines">10</option>
      <option name="segmentation">outer</option>
      <option name="softWrap">false</option>
    </event>

   </row>

   . . .

Second row

  • Column chart panel Displays a chart as stacked columns, providing labels for the X and Y axes. The inline search is derived from a version of the Splunk tutorial.
  • Pie chart panel Displays the same search as the column chart panel, but as a pie chart.
   . . . 

  <row>
    <chart>
      <searchString>
        sourcetype=access_* method=GET | timechart count by categoryId 
        | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Stacked)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.axisTitleX.text">Views</option>
      <option name="charting.axisTitleY.text">Date</option>
      <option name="charting.chart">column</option>
      <option name="charting.primaryAxisTitle.text"></option>
      <option name="charting.secondaryAxisTitle.text"></option>
      <option name="count">10</option>
      <option name="displayRowNumbers">true</option>
    </chart>
    <chart>
      <searchString>
        sourcetype=access_* method=GET | timechart count by categoryId 
        | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Pie Chart)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">pie</option>
      <option name="count">10</option>
      <option name="displayRowNumbers">true</option>
    </chart>
  </row>
   . . .

Third row

This row illustrates various ways to display single values, and provides an example of a panel grouping.

  • Radial gauge panel Displays a radial gauge for an inline search checking all Splunk server log events.
  • Single value button grouped with a marker gauge chart panel Uses the same search as the radial gauge. Note that specifying colors for a single value differs from the gauge charts.
   . . . 
   <row grouping="1,2" >
    <chart>
      <searchString>
        index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN* 
        OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events (Radial Gauge)</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">radialGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
    </chart>
     
    <single>
      <searchString>
         index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN*
         OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events 
         | rangemap field=log_events low=1-100 elevated=101-300 default=severe
      </searchString>
      <title>Log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="classField">range</option>
      <option name="afterLabel">total logging events</option>
      <option name="beforeLabel">Found</option>
    </single>

    <chart>
      <searchString>
        index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN*
        OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">markerGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
    </chart>
  </row>

</dashboard>

PREVIOUS
Build a real-time dashboard
  NEXT
Forms: An introduction

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters