Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Add a custom dashboard

The Splunk App for Enterprise Security includes a set of default dashboards pre-configured for use. You may want to modify these dashboards for your deployment, or create entirely new dashboards to reflect your security situation.

Use the Navigation editor to add or reconfigure dashboards in your deployment. See "Navigation" in the Splunk App for Enterprise Security Installation and Configuration Manual for more information. See the list of available dashboards in the same manual.

Create a custom dashboard

The Splunk App for Enterprise Security provides a number of dashboards for different aspects of your Enterprise Security. Each dashboard (or dashboard) in the Splunk App for Enterprise Security has an XML file (for instance es_malware_activity.xml) that describes what information is used in the dashboard, which notable events provide the data, and how that data is displayed. These dashboards are included as part of the app.

To add a custom dashboard to your deployment, first you need to create the XML file for your dashboard. To create your custom dashboard XML file (your_dashboard.xml), follow the instructions in the following Splunk document:

For detailed information about how to create a custom dashboard, see "Create and edit dashboards via the UI" in the Data Visualizations Manual in the Splunk Enterprise documentation.

Add the dashboard to the navigation (menu bar)

To add your custom dashboard (your_dashboard.xml) to the app, you need to add it to the navigation XML file. The menu items in the app are referenced in the navigation XML file. Each app has only one navigation file. To have the new dashboard show up in the correct place in the app navigation (or correct location in the menu bar), the custom dashboard must be referenced in the correct domain section of the navigation XML file ($SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/data/ui/nav/default.xml). You must associate the new dashboard with a domain.

1. To add your custom dashboard to the navigation file, in Splunk, go to Settings > User interface > Navigation menus.

2. Select default next to SplunkEnterpriseSecuritySuite. An editor will display the navigation file for the Splunk App for Enterprise Security (nav.xml.

3. Choose the domain for the new dashboard. This is the location in the default.xml file where you reference your custom dashboard file (your_dashboard.xml).

A dashboard is associated (or categorized) with a domain within the app. In the Splunk App for Enterprise Security, these categories are shown in the dashboards tab. The categories are:

  • Access
  • Endpoint
  • Network
  • Identity
  • Audit

Within the navigation file (default.xml), the categories look like this: 

<nav>
	…
	…

	<collection label="Access">
	  	…
	 	…
	  <view name="default_accounts"/>
              <!--ADD HERE-->
	</collection>
	
	<collection label="Endpoint">
		…
	            …
	           <view name="update_profiler"/>
                       <!--ADD HERE-->
	</collection>
	
	<collection label="Network">
		…
		…
		<view name="port_protocol_tracker"/>
                <!--ADD HERE-->
	</collection>
	
	<collection label="Identity">
		…
		…
		<view name="session_center"/>
                        <!--ADD HERE-->
	</collection>
	
	<collection label="Audit">
		…
		…
         <view name="search_auditing" />
                       <!--ADD HERE-->
		…
		…

	</collection>
</nav>
        
You can add a dashboard to any of the places in the file indicated with <!--ADD HERE-->.

3. Add the custom dashboard to the default.xml file and Save the file.

For example, to add your dashboard to Audit, add the path to the your_dashboard.xml file and the display name in default.xml as shown in the following code snippet: 


<collection label="Audit">
               <view name="search_auditing"/>
                    ...
                <a href='/app/SplunkEnterpriseSecuritySuite/your_dashboard.xml?category=es'>Your custom dashboard</a>
                    ...
</collection>

Click Save.

Note: When you open default.xml, you are looking and the default copy of the file. When you save, your changes are saved to a local version of the file.

4. Restart Splunk.

Note: Splunk must be restarted for the changes to be applied.

Your new custom dashboard will now show up in the Audit menu in the Splunk App for Enterprise Security. The new dashboard should be present in the dashboards list at Configure > Domains / Dashboards.

Warning: If you disable the custom dashboard in the Domains / Dashboards Navigation editor, you will need to manually re-add it to the $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/data/ui/nav/default.xml file. Make the custom view visible again by using Manager > User Interface > Nav Menus.

See the "Create and edit dashboards via the UI" in the core Splunk product documentation for more information.

Last modified on 01 July, 2014
Create new correlation searches   Advanced Filter

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters