Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Step 3: Add panels

Each row in a dashboard can contain up to three columns. Typically, you place a single panel within a column. Each panel contains a search (a saved search or an inline search specific to that panel) and a visualization of the results returned from that search. There's no limit to how many rows you can have in a dashboard.

The visualization can be any of the following:

  • A table
  • An event listing
  • A list
  • A chart
  • A single value
  • A gauge representing a single value

Panels can also display information coded for HTML. These panels do not have searches and visualizations associated with them.

See Visualization Reference, available in the Splunk User Manual, for details on tables, charts, single values, and gauges that you can use in a panel.

See Panel Reference for Simplified XML for details on implementation of various panels.

Add panels to rows

To add a panel to a row in a dashboard, add the tags defining the type of panel. The following example adds three panels: an event listing, a table, and a chart.

<dashboard>
 <label>My dashboard</label>
  <row>
   <event>
   . . .
   </event>
   <table>
   . . .
   </table>
   <chart>
   . . .
   </chart>
  </row>
</dashboard>

Configure panels

Configure panels by specifying the following:

  • Search for the panel
  • Properties available to all panels
  • Properties specific to types of panels

Add a search

Searches can be a saved search or an inline search specific to that panel. Saved searches run on the schedule for the search. Inline searches run when the panel loads.

Saved search Use the <searchName> tag to specify a saved search. Saved searches must be shared with all users and roles who access the dashboard. Any saved search for a panel must contain an entry in savedsearches.conf in the app's default or local directory, or the search must be shared globally with all apps.

Inline search Use the <searchString> tag to specify an inline search. Inline searches run every time the dashboard is accessed. If you have a long running search, or there are many users accessing a dashboard, an inline search may create a high load on your Splunk instance. For inline searches you can optionally specify a time range for the search.

The following example shows a dashboard with two panels showing a saved search and an inline search. The inline search displays results from the last week. "Build a real-time dashboard" shows how to build a search with a real-time dashboard.

<dashboard>
 <label>My dashboard</label>
 <row>

   <chart>
   <searchName>My saved report</searchName>
   </chart>

   <chart>
    <searchString>host=production | top users</searchString>
   <earliestTime>-7d</earliestTime>
   <latestTime>now</latestTime>
   </chart>

  </row>
</dashboard>

Properties available to all panels

Simplified XML provides a set of tags that define properties that can be applied to all panels. The following table summarizes some of these tags.

Tag Description
<title> String

Add a title to your panel, such as Failed logins. The title displasy at the top of the panel.

<fields> Comma-separated list of field names.

Restrict your search results to specific fields.

<earliestTime> Splunk time format

Restrict search results to a specific time window, starting with the earliestTime. Specify "rt" to enable real-time searches.

<latestTime> Splunk time format.

Restrict search results to a specific time window, ending with the latestTime. Specify "rt" to enable real-time searches.


The following example shows a panel with a chart visualization, a title, and an inline search. The search results are restricted to a 5 hour window and to three fields:

<dashboard>
 <label>My dashboard</label>
  <row>

   <chart>
    <title>Top users, five hours ago</title>
    <searchString>host=production | top users</searchString>
    <earliestTime>-10h</earliestTime>
    <latestTime>-5h</latestTime>
    <fields>host,ip,username</fields>
   </chart>

  </row>
</dashboard>

Properties specific to types of panels

Each type of panels has specific options that are only available to that panel. <option> tags define those properties, using the name attribute. For example, if you specify a panel with a table visualization, use the <option> tag to specify how many rows to display and whether to display row numbers.

The following example specifies options for a <table> panel.

<dashboard>
 <label>My dashboard</label>
 <row>

    <table>
      <searchName>Errors in the last 24 hours</searchName>
      <title>Errors in the last 24 hours</title>
      <option name="count">15</option>
      <option name="displayRowNumbers">true</option>
      <option name="maxLines">10</option>
      <option name="segmentation">outer</option>
      <option name="softWrap">true</option>
    </table>

  </row>
</dashboard>


The following example specifies a column chart visualization, with display names for the X and Y axes.

<dashboard>
 <label>My dashboard</label>
 <row>

    <chart>
      <searchString>
          sourcetype=access_* method=GET | timechart count by categoryId 
          | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Stacked)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.axisTitleX.text">Views</option>
      <option name="charting.axisTitleY.text">Date</option>
      <option name="charting.chart">column</option>
    </chart>

  </row>
</dashboard>
PREVIOUS
Step 2: Add rows
  NEXT
Add a chart

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters