Step 3: Add panels
Contents
Step 3: Add panels
Each row in a dashboard can contain up to three panels. Each panel contains a search (a saved search or an inline search specific to that panel) and a visualization of the results returned from that search. There's no limit to how many rows you can have in a dashboard.
The visualization can be any of the following:
- A table
- An event listing
- A list
- A chart
- A single value
- A gauge representing a single value
Panels can also display information coded for HTML. These panels do not have searches and visualizations associated with them.
See Visualization Reference, available in the Splunk User Manaul, for details on tables, charts, single values, and gauges that you can use in a panel.
See Panel Reference for Simplified XML for details on implementation of various panels.
Add panels to rows
To add a panel to a row in a dashboard, add the tags defining the type of panel. The following example adds three panles: an event listing, a table, and a chart.
<dashboard> <label>My dashboard</label> <row> <event> . . . </event> <table> . . . </table> <chart> . . . </chart> </row> </dashboard>
Configure panels
Configure panels by specifying the following:
- Search for the panel
- Properties available to all panels
- Properties specific to types of panels
Add a search
Searches can be a saved search or an inline search specific to that panel. Saved searches run on the schedule for the search. Inline searches run when the panel loads.
Saved search Use the <searchName> tag to specify a saved search. Saved searches must be shared with all users and roles who access the dashboard. Any saved search for a panel must contain an entry in savedsearches.conf in the app's default or local directory, or the search must be shared globally with all apps.
Inline search Use the <searchString> tag to specify an inline search. Inline searches run every time the dashboard is accessed. If you have a long running search, or there are many users accessing a dashboard, an inline search may create a high load on your Splunk instance. For inline searches you can optionally specify a time range for the search.
The following example shows a dashboard with two panels showing a saved search and an inline search. The inline search displays results from the last week. "Build a realtime dashboard" shows how to build a search with a realtime dashboard.
<dashboard>
<label>My dashboard</label>
<row>
<chart>
<searchName>My saved report</searchName>
</chart>
<chart>
<searchString>host=production | top users</searchString>
<earliestTime>-7d</earliestTime>
<latestTime>now</latestTime>
</chart>
</row>
</dashboard>
Properties available to all panels
Simplified XML provides a set of tags that define properties that can be applied to all panels. The following table summarizes some of these tags.
| Tag | Description |
|---|---|
<title>title</title> | Add a title to your panel, such as Failed logins. This title display at the top of the panel. |
<fields>comma separated list of fields</fields> | Restrict your search results to specific fields. |
<earliestTime>Splunk time format</earliestTime> | Restrict your search results to a specific time window, starting with the earliestTime. Specify "rt" to enable realtime searches. |
<latestTime>Splunk time format</latestTime> | Restrict your search results to a specific time window, ending with the latestTime. Specify "rt" to enable realtime searches. |
The following example shows a panel with a chart visualization, a title, and an inline search. The search results are restricted to a 5 hour window and to three fields:
<dashboard>
<label>My dashboard</label>
<row>
<chart>
<title>Top users, five hours ago</title>
<searchString>host=production | top users</searchString>
<earliestTime>-10h</earliestTime>
<latestTime>-5h</latestTime>
<fields>host,ip,username</fields>
</chart>
</row>
</dashboard>
Properties specific to types of panels
Each type of panels has specific options that are only available to that panel. <option> tags define those properties, using the name attribute. For example, if you specify a panel with a table visualization, use the <option> tag to specify how many rows to display and whether to display row numbers.
The following example specifies options for a <table> panel.
<dashboard>
<label>My dashboard</label>
<row>
<table>
<searchName>Errors in the last 24 hours</searchName>
<title>Errors in the last 24 hours</title>
<option name="count">15</option>
<option name="displayRowNumbers">true</option>
<option name="maxLines">10</option>
<option name="segmentation">outer</option>
<option name="softWrap">true</option>
</table>
</row>
</dashboard>
The following example specifies a column chart visualization, with display names for the X and Y axes.
<dashboard>
<label>My dashboard</label>
<row>
<chart>
<searchString>
sourcetype=access_* method=GET | timechart count by categoryId
| fields _time BOUQUETS FLOWERS
</searchString>
<title>Views by product category, past week (Stacked)</title>
<earliestTime>-7d</earliestTime>
<latestTime>now</latestTime>
<option name="charting.axisTitleX.text">Views</option>
<option name="charting.axisTitleY.text">Date</option>
<option name="charting.chart">column</option>
</chart>
</row>
</dashboard>
This documentation applies to the following versions of Splunk: 4.3 View the Article History for its revisions.