Dashboards and Visualizations

 


Dashboard examples

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Dashboard examples

This topic shows the source simple XML code behind dashboards. After you become familiar with the simple XML source code, you can further customize the dashboard.


Basic dashboard

This basic dashboard illustrates the basic simple XML elements, as indicated in the commented code.

BasicDashboard.png


<dashboard>
  <!-- A title for the dashboard -->
  <label>Basic Dashboard</label>
  
  <!-- Provide a description -->
  <description>Illustrate the basic structures of a dashboard</description>

  <!-- Place panels within rows -->
  <row>
    
    <!-- This basic dashboard has only a single panel -->
    <table>
      <title>Top Sourcetypes (Last 24 hours)</title>

      <!-- A search powers the panel -->
      <searchString>
        index=_internal | top limit=100 sourcetype | eval percent = round(percent,2)
      </searchString>

      <!-- Specify a time range for the search -->
      <earliestTime>-24h@h</earliestTime>
      <latestTime>now</latestTime>

      <!-- Use options to further define how to display result data -->
      <option name="wrap">true</option>
      <option name="rowNumbers">true</option>
    </table>
  </row>

</dashboard>

Searches power panels

This dashboard illustrates an inline search, a search saved as a report, and an inline search derived from a pivot.

SearchesPowerPanels3.png

<dashboard>
  <label>Searches power panels</label>
  <description>Show the various searches to power a panel.</description>
  
  <!-- This row contains three panels -->
  <row>
    <table>
      <title>(Inline Search) Top Sourcetypes</title>
      
      <!-- Inline Search -->
      <searchString>
        index=_internal | top limit=100 sourcetype
        | eval percent = round(percent,2)
      </searchString>
      
      <earliestTime>-24h@h</earliestTime>
      <latestTime>now</latestTime>
      <option name="rowNumbers">true</option>
    </table>
    
    <chart>
      <title>(Report) Top Sourcetypes</title>
      
      <!-- Reference to a search saved as a report -->
      <searchName>top_source_types_report</searchName>
      <option name="charting.chart">bar</option>
    </chart>
    
    <chart>
      <title>(Pivot)  Game Purchases</title>
      
      <!-- Inline search derived from a pivot -->
      <searchString>
        | pivot Buttercup_Games Successful_purchases count(Successful_purchases)
        AS "Count of Successful purchases" SPLITROW product_name
        AS "product name" SORT 100 product_name
      </searchString>      
      <option name="charting.chart">pie</option>
    </chart>
  </row>
</dashboard>

Use panels to visualize search results

Splunk provides various visualizations you can use to view search results. You can display results in a table (or event listing), but also specify various charts. Use the <chart> element, specifying the chart type with the <option> child element.

VisualizationExamples.png


<dashboard>
  <label>Use charts to visualize results</label>
  <description>Show a selection of visualizations from the same search</description>
  <row>
    <!-- Display results as a table -->
    <!-- Uses an inline search, equivalent to the <searchName> specified for the other panels-->
    <table>
      <title>Top Sourcetypes (Table)</title>
      <searchString>
        index=_internal | top limit=100 sourcetype
      </searchString>
      <earliestTime>-24h@h</earliestTime>
      <latestTime>now</latestTime>
    </table>
    
    <!-- display same search as various charts -->
    <chart>
      <title>Top Sourcetypes (Bar chart)</title>
      <searchName>top_source_types_report</searchName>
      <!-- specify the chart type with this <option> to <chart> -->
      <option name="charting.chart">bar</option>
    </chart>
    
    <chart>
      <title>Top Sourcetypes (Column chart)</title>
      <searchName>top_source_types_report</searchName>
      <option name="charting.chart">column</option>
    </chart>
  </row>
  <row>
    <chart>
      <title>Top Sourcetypes (Pie)</title>
      <searchName>top_source_types_report</searchName>
      <option name="charting.chart">pie</option>
    </chart>
    <chart>
      <title>Top Sourcetypes (Line chart)</title>
      <searchName>top_source_types_report</searchName>
      <option name="charting.chart">line</option>
    </chart>
    <chart>
      <title>Top Sourcetypes (Area chart)</title>
      <searchName>top_source_types_report</searchName>
      <option name="charting.chart">area</option>
    </chart>
  </row>
</dashboard>

Dashboard with real time search

You can build a real-time dashboard using the Splunk Dashboard Editor or coding the dashboard using simple XML. This example shows how to code the simple XML.

Use the <earliestTime> and <latestTime> elements to enable real-time searching. For example, if you want to enable real-time searching and display the data in a table, specify the following:

<table>

   <title>Look here for errors</title>
   <searchString>
     error OR failed OR severe 
     OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
   </searchString>
   <fields>host, source, errorNumber</fields>
   <earliestTime>rt</earliestTime>
   <latestTime>rt</latestTime>

</table>

You can also set a window for the real-time dashboard. For example, if you want to show real-time events but only from the last 5 minutes.

<table>
    <title>Look here for errors during the last 5 minutes</title>
    <searchString>
      error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
    </searchString>
    <fields>host, source, errorNumber</fields>
    <earliestTime>rt-5m</earliestTime>
    <latestTime>rt</latestTime>
</table>

For more information on setting a search window, see Specify real-time time range windows in your search in the Search Manual.

Specify properties for panels

Simple XML provides a set of simple XML elements that define properties that can be applied to all panels. For properties specific to certain types of panels (for examples <chart> or <map>) Splunk uses the <option> element to specify a property.

The use of a specific element or the <option> element varies. Consult the Simple XML Reference and Chart Configuration Reference for details on specifying panel properties.


The following table summarizes some of the elements available for all panels.

Tag Description
<title> String

Add a title to your panel, such as Failed logins. The title displasy at the top of the panel.

<earliestTime> Splunk time format

Restrict search results to a specific time window, starting with the earliestTime. Specify "rt" to enable real-time searches.

<latestTime> Splunk time format.

Restrict search results to a specific time window, ending with the latestTime. Specify "rt" to enable real-time searches.


The following example of a panel with a <table> element shows how to specify a title and an inline search. It restricts search results to a 5 hour window and to three fields:

<dashboard>
 <label>My dashboard</label>
  <row>

   <chart>
    <title>Top users, five hours ago</title>
    <searchString>host=production | top users</searchString>
    <earliestTime>-10h</earliestTime>
    <latestTime>-5h</latestTime>
    <fields>host,ip,username</fields>
   </chart>

  </row>
</dashboard>


The following example specifies various properties with the <option> element for a <table>.

<dashboard>
 <label>My dashboard</label>
 <row>

    <table>
      <searchName>Errors in the last 24 hours</searchName>
      <title>Errors in the last 24 hours</title>
      <option name="count">15</option>
      <option name="displayRowNumbers">true</option>
      <option name="maxLines">10</option>
      <option name="segmentation">outer</option>
      <option name="softWrap">true</option>
    </table>

  </row>
</dashboard>


The following example specifies a column chart visualization, with display names for the X and Y axes.

<dashboard>
 <label>My dashboard</label>
 <row>

    <chart>
      <searchString>
          sourcetype=access_* method=GET | timechart count by categoryId 
          | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Stacked)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.axisTitleX.text">Views</option>
      <option name="charting.axisTitleY.text">Date</option>
      <option name="charting.chart">column</option>
    </chart>

  </row>
</dashboard>

Use the HTML panel to display static text

The HTML panel displays inline HTML. Use the HTML panel to add documentation, links, images, and other Web content to a dashboard.

Splunk displays the contents between the HTML tags according to the specified HTML formatting. Relative link references are relative to the current view location. The HTML panel does not use any of the other general panel options and there are no specific options to set for HTML.

For details on using HTML panels, refer to the <html> element entry in the Simple XML Reference.


HTML panel.png


In the example, the anchor tag accesses system reports using the special Splunk locator: @go?s=

. . .
<row>
  <html>
    <p>This is an <i><b>HTML panel</b></i> providing links to system reports.</p>
    <ul>
      <li>
        <p><a href="@go?s=Errors in the last hour">Errors in the last hour</a></p>
      </li>
      <li>
        <p><a href="@go?s=Indexing workload">Indexing workload</a></p>
      </li>
      <li>
        <p><a href="@go?s=License Usage Data Cube">License Usage</a></p>
      </li>
    </ul>
  </html>
  . . .
</row>

Configure a dashboard with dynamic drilldown

Dynamic drilldown allows you to specify another Splunk view or a web page to link to from a field in the search results. To implement dynamic drilldown in a dashboard, do the following:

  • Add a <drilldown> tag to the visualization listing search results.
  • Within the <drilldown> tag, add one or more <link> tags
  • Within each <link> tag, specify either a Splunk view or web site to link to.
  • Specify the value of the results to use for the drilldown action. For example:
    • Specify a field name that can be used as a sourcetype for a Splunk view.
    • Specify a value that can be passed to a website.

See Dynamic drilldown in dashboards and forms for detailed examples.

This documentation applies to the following versions of Splunk: 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!