Splunk® Enterprise

Dashboards and Visualizations

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Using events lists

Add an events list to a dashboard to give users access to the events, fields, and values generated by a search. An events list does not abstract or process search results like a chart or other visualization does.

Generate an events list

The content in an events list depends on the search that you run. There are no additional data format requirements.

Prerequisites
Review Configuration options.

Steps

  1. From the Search page, run a search.
  2. Select the Events tab to view the events list.
  3. (Optional) Select Save As > Dashboard panel to add the events list to a dashboard.
  4. (Optional) Use the Format menu or Simple XML to configure the events list.

Configuration options

Use the Format menu to configure one or more of the following events list components. You can also adjust these components and make additional configurations using Simple XML.

Display and format options

Use the following settings to adjust events list appearance.

  • Choose an events display option.
    • List (default): Show timestamps for each event separately.
    • Raw: Show raw events.
    • Table: Display events as a table. This format is different from the Statistics table visualization.
  • Configure row numbers, wrapping, and maximum lines

Drilldown

Use the drilldown editor and/or Simple XML to enable and configure drilldown on an events list. See Use drilldown for dashboard interactivity for more details on enabling and configuring drilldown.

When configuring drilldown on an events list in Simple XML, you can specify one of the following drilldown settings to provide different segment selection options.

Drilldown setting Segmenting option enabled for users Example
Full Select a major segment or one or more contiguous minor segments.

The first example shows a minor segment selection. The second example shows a major segment selection.
Viz drilldownEventFull2.png

Viz drilldownEventFull.png
Inner Select a single minor segment. Viz drilldownEventInner.png
Outer Select a complete major segment. Viz drilldownEventOuter.png
None Disables drilldown (default)

Note: Event segmentation processing for events with long single lines of text can cause browser performance issues.

For more details, see Types of event segmentation in the Knowledge Manager Manual.

Use case scenario

An admin uses an events list to give users access to recent notable system events. To generate the events list, the admin runs the following search.

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )

The admin adds the events list to a dashboard tracking system status. Dashboard users can click on event fields or a timestamp in the list to open a search using the clicked content.

7.1 use case scenario.png

For example, clicking on the /opt/splunk/var/log/splunk/splunkd.log source value in an event opens the following search in a new window.

* source="/opt/splunk/var/log/splunk/splunkd.log"

Last modified on 21 September, 2022
Data structure requirements for visualizations   Table visualization overview

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters