Splunk default dashboards
Contents
Splunk default dashboards
Splunk's Search app comes packaged with a set of useful dashboards and views that also serve to demonstrate a few different configurations of our search and reporting modules. As such, they could help you come up with some ideas of how you might want to design some dashboards and views of your own.
Every page in a Splunk app is a view. For example, the core search page in the Search app is a default view that ships with that app. You can construct your own views as you design your own apps.
Dashboards are one of the most common types of views, and they are among the easiest to build. Each dashboard is made up of panels that can contain charts, tables, event lists, HTML, and text. Most panels are hooked up to searches that kick off when the dashboard is loaded, providing you with up-to-the-moment metrics and analysis. You can design dashboards to provide insight into just about any aspect of your IT data, from real-time breakdowns of online sales revenue to lists and charts detailing recent firewall attacks and other security concerns.
You can easily make simple dashboards. Use the Dashboard Editor to create new dashboards and edit existing ones. You can create dashboard panels that are based on saved searches and reports, rearrange a dashboard's panel order, and much more. For more information, see "Create and edit simple dashboards" in this manual.
To learn how to create more sophisticated dashboards, see the "Build dashboards" chapter of the Developer manual.
Summary dashboard
The Summary dashboard is the first thing you see as you enter the Search app. It provides a search bar and time range picker which you can use to input and run your initial search. Below that, you'll find some elemental indexing metrics for this instance of Splunk, all of which are generated by inline searches and saved searches linked to the dashboard. You'll find a count of the total amount of events indexed, and the timestamps for the earliest and latest events indexed.
You'll also see lists displaying the various sources, sourcetypes, and hosts indexed by your Splunk instance, ordered by the total amount of events indexed for each field. Select a list item to kick off a search for occurrences of that particular field.
Note: Keep in mind that index permissions are set at the role level. This means that viewers of the Summary dashboard can only see indexing information for indexes that they have permissions to see, according to their role. For more information about users, roles, and role-based index permissions, see the "Add and manage users" section of the Admin manual.
Not finding the events you're looking for?
When you add an input to Splunk, that input gets added relative to the app you're in. Some apps, like the *nix and Windows apps, write input data to a specific index (in the case of *nix and Windows, that is the os index). If you review the summary dashboard and you don't see data that you're certain is in Splunk, be sure that you're looking at the right index. You may want to add the index that an app uses to the list of default indexes for the role you're using. For more information about roles, refer to the topic about roles in the Admin Manual.
Status dashboards
The Search app includes five collections of dashboards that display different kinds of Splunk status information. You can find them under Status in the top-level navigation bar.
Note: These dashboards are only visible to users with Admin role permissions. For more information about users and roles, see the "Add and manage users" section of the Admin manual. the Admin manual. For more information about setting up permissions for dashboards, see the Knowledge Manager manual.
- Search activity - This dashboard collection provides at-a-glance info about search activity for your Splunk instance. You can find out when searches are running, the amount of load they're putting on the system, which searches are the most popular, which search views and dashboards are getting the most usage, and more.
- Index activity - This collection of dashboards expands upon the basic indexing statistics presented in the summary dashboard. You'll see the total events indexed (broken out by index), the top five indexed sourcetypes, the indexing rate by sourcetype over the past 24 hours, lists of indexing errors, and a number of other useful stats.
- Server activity - This small collection of dashboards provides metrics related to splunkd and Splunk Web performance. You'll find the numbers of errors reported, lists of the most recent errors, lists of timestamping issues and unhandled exceptions, a chart displaying recent browser usage, and more.
- Inputs activity - This dashboard displays information about your Splunk inputs. You can see your most recently processed files and your most recently ignored files.
- Scheduler activity - This collection of dashboards gives you insight into the work of the search scheduler, which ensures that both ad hoc and scheduled searches are run in a timely manner.
Advanced charting view
In the top-level navigation bar's Dashboards & Views list, you can find the Advanced Charting view. This example of view construction enables you to build charts without opening up a separate Report Builder window. Enter a search that uses reporting language into the search bar, and the resulting chart appears in the results area.
Manage views
The Manage views link in the Views list takes you to the Views page in Manager, where you can review and update the views that you have permission to manage, change their permissions, and add new views. To create or update views here you need to be familiar with XML and have an understanding of how views are developed in Splunk. For more information see the Developers manual.
Note: You can also get to the Views page by navigating to Manager > User interface > Views.
This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.