Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Dashboards: An introduction

A dashboard is a view containing one or more panels that display visualizations of data, such as tables, charts, and graphs. Dashboard panels typically retrieve data from an inline search or a saved search.

Dashboards live within apps, which means you can set permissions on a dashboard the same way you can with a saved search, event type, or other object. Once you build a dashboard you can navigate directly to it. For example,

http://localhost:8000/en-US/<app>/<app_name>/<dashboard_name>

Why build a dashboard?

Dashboards are useful for customizing the display of data to a user. You can use dashboards to highlight interesting and useful aspects of your data, link to important searches, and display common reports.

For example, you can create a console for network operations console that provides an overview of the entire network, highlights which machines are down, and sends notifications of firewall violations.

How to build a dashboard

A dashboard contains panels organized by rows. Each row can contain one, two, or three panels. Each panel contains a search and a visual summary of that search.

Splunk provides tooling that lets you interactively create and edit basic dashboards without having to write a single line of XML code upon which the dashboard is based.

Use the Splunk Dashboard Editor to create a dashboard and layout its panels. Use the Search Editor to specify the search for each panel. Use the Visualization Editor to modify how to display the data in a panel. "Create and edit simple dashboards" and "Edit dashboard panel visualizations", both in the Splunk User manual, describe how to interactively create a dashboard.

Searches and dashboards

Panels within a dashboard are based on searches and reports. Much of the work in building a dashboard is designing searches and reports that highlight interesting data for your users.

You can specify a saved search or an inline search for a panel. If you specify a saved search, Splunk uses the most recent results from that search. If you set up a search to run on a schedule, the panel displays cached results form the search. Use saved searches if you have many long running searches or you expect many users to use the dashboard simultaneously.

Use an inline search to display results in real time. You specify an inline searches directly in the implementation of a panel.

To learn more about using saved searches in dashboards, read the next section: Saved searches and dashboards.

Create and edit dashboards using Simplified XML

Often you need to edit the underlying Simplified XML to go beyond the basic dashboards created with the editing tools. Splunk provides an XML editor to help you edit the underlying XML. You can also use any XML editor of your choice.

Here are a few reasons you may want to go beyond basic dashboard implementation to edit the underlying Simplified XML:

  • Specify color values for Single Values
  • Customize the appearance of charts, tables, lists, and other visualizations
  • Add radio buttons, drop-down menus, and other UI items

You can also create a dashboard from scratch, coding the implementation using Simplified XML.

Panels available for dashboards

With Simplified XML, you can specify the type of visualization to display in a panel. The visualizations available include the following:

  • Charts
  • Tables
  • Lists
  • Single button
  • Events
  • HTML

The panel reference lists all visualizations plus includes examples of the underlying Simplified XML.

Advanced XML

Most of the documentation in this manual describes creating and editing dashboards using Simplified XML. Simplified XML sits on top of Splunk's Advanced XML implementation. Complex dashboards and apps might need to leverage functionality only available from Advanced XML. For example, if you want to create a single search that is used by all panels in a dashboard, you have to implement the dashboard in Advanced XML.

You can always convert Simplified XML to Advanced XML. However, you cannot later go back to Simplified XML. Splunk recommends that you start advanced projects in Simplified XML, and then convert them later to Advanced XML to add the more complex features.

"Introduction to advanced views" in this manual provides details on editing Advanced XML.

For example, if you want to create a single search for a whole dashboard, you can implement postProcess search in Advanced XML, as described in How to use one search for a whole dashboard.

To convert Simplified XML to Advanced XML use the showsource URI:

http://localhost:8000/en-US/app/<app_name>/<dashboard_name>?showsource=true
PREVIOUS
Use cases for this manual
  NEXT
Saved searches and dashboards

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters