Add a custom dashboard
The Splunk App for Enterprise Security includes a set of default dashboards pre-configured for use. You may want to modify these dashboards for your deployment, or create entirely new dashboards to reflect your security situation.
Use the Navigation editor to add or reconfigure dashboards in your deployment. See "Navigation" in the Splunk App for Enterprise Security Installation and Configuration Manual for more information. See the list of available dashboards in the same manual.
Create a custom dashboard
The Splunk App for Enterprise Security provides a number of dashboards for different aspects of your Enterprise Security. Each dashboard (or dashboard) in the Splunk App for Enterprise Security has an XML file (for instance
es_malware_activity.xml) that describes what information is used in the dashboard, which notable events provide the data, and how that data is displayed. These dashboards are included as part of the app.
To add a custom dashboard to your deployment, first you need to create the XML file for your dashboard. To create your custom dashboard XML file (
your_dashboard.xml), follow the instructions in the following Splunk document:
For detailed information about how to create a custom dashboard, see "Create and edit dashboards via the UI" in the Data Visualizations Manual in the Splunk Enterprise documentation.
To add your custom dashboard (
your_dashboard.xml) to the app, you need to add it to the navigation XML file. The menu items in the app are referenced in the navigation XML file. Each app has only one navigation file. To have the new dashboard show up in the correct place in the app navigation (or correct location in the menu bar), the custom dashboard must be referenced in the correct domain section of the navigation XML file (
$SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/data/ui/nav/default.xml). You must associate the new dashboard with a domain.
1. To add your custom dashboard to the navigation file, in Splunk, go to Settings > User interface > Navigation menus.
2. Select default next to SplunkEnterpriseSecuritySuite. An editor will display the navigation file for the Splunk App for Enterprise Security (nav.xml.
3. Choose the domain for the new dashboard. This is the location in the
default.xml file where you reference your custom dashboard file (
A dashboard is associated (or categorized) with a domain within the app. In the Splunk App for Enterprise Security, these categories are shown in the dashboards tab. The categories are:
Within the navigation file (
default.xml), the categories look like this:
<nav> … … <collection label="Access"> … … <view name="default_accounts"/> <!--ADD HERE--> </collection> <collection label="Endpoint"> … … <view name="update_profiler"/> <!--ADD HERE--> </collection> <collection label="Network"> … … <view name="port_protocol_tracker"/> <!--ADD HERE--> </collection> <collection label="Identity"> … … <view name="session_center"/> <!--ADD HERE--> </collection> <collection label="Audit"> … … <view name="search_auditing" /> <!--ADD HERE--> … … </collection> </nav> You can add a dashboard to any of the places in the file indicated with <!--ADD HERE-->.
3. Add the custom dashboard to the
default.xml file and Save the file.
For example, to add your dashboard to Audit, add the path to the
your_dashboard.xml file and the display name in
default.xml as shown in the following code snippet:
<collection label="Audit"> <view name="search_auditing"/> ... <a href='/app/SplunkEnterpriseSecuritySuite/your_dashboard.xml?category=es'>Your custom dashboard</a> ... </collection>
Note: When you open
default.xml, you are looking and the
default copy of the file. When you save, your changes are saved to a
local version of the file.
4. Restart Splunk.
Note: Splunk must be restarted for the changes to be applied.
Your new custom dashboard will now show up in the Audit menu in the Splunk App for Enterprise Security. The new dashboard should be present in the dashboards list at Configure > Domains / Dashboards.
Warning: If you disable the custom dashboard in the Domains / Dashboards Navigation editor, you will need to manually re-add it to the
$SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/data/ui/nav/default.xml file. Make the custom view visible again by using Manager > User Interface > Nav Menus.
See the "Create and edit dashboards via the UI" in the core Splunk product documentation for more information.
Create new correlation searches
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3