Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create and edit simple dashboards

Splunk makes it easy to interactively build and edit simple dashboards without writing a single line of XML code.

  • Add a search you've just run to a new or existing dashboard: You can jump right into dashboard creation after running a search that produces a visualization you like with the Create Dashboard Panel feature. It will guide you through the process of creating a dashboard panel based on the search and adding it to a new or preexisting dashboard. When you're done, you're still in the Search view, ready to run more searches.
  • Use the Dashboard Editor to create dashboards and populate them with dashboard panels: You can also use the Dashboard Editor to edit existing dashboards. This method of dashboard creation is useful if you have a set of search strings that you want to quickly base a set of dashboard panels upon.

Add a search you've just run to a new or existing dashboard

Say you design a search after a bit of trial and error that produces results that you'd like to see in a new or preexisting dashboard. You can do this without going to a dashboard and adding the panel manually. Simply click the Create button below the search bar and click ...Dashboard Panel to open the Create Dashboard Panel dialog box.

The Create Dashboard Panel dialog box is divided into three screens. In Search, the first screen, enter the title of the panel that you wish to create. Keep in mind that the search you're basing the panel on will be saved with this same title.

4.3-create dash panel-screen1.png

Click Next to go to Dashboard, the second screen. On this screen, you'll determine whether the dashboard is to be added to a new dashboard or a dashboard that already exists.

4.3-create dash panel-screen2.png

  • If you want to add this new panel to a new dashboard, on the Dashboard screen you can give the new dashboard a title and determine its permissions (you can keep the new dashboard private--available only to you--or you can share it with other members of the app that you're currently working in. Click Next to go on to the final screen.

Note: For more information about permissions setup see the "Share and promote knowledge objects" subtopic of the "Curate Splunk knowledge with Manager" topic in the Knowledge Manager Manual.

  • If you want to add this panel to an existing dashboard, select Existing dashboard and select the dashboard from the dropdown. The dropdown will only display dashboards that you have edit permissions for. (If no dashboards exist that you have permission to alter, this option will be unavailable.)

Click Next to go to Panel, the third and final screen. On this screen you'll define basic aspects of the panel. It carries over the Panel title from the search title you provided on the Search screen but you can change it if you want.

Create dash panel screen3-4.3.jpg

You can choose the Visualization displayed by the panel. If your search does not include reporting commands, only the Table and Event list options will be available. If your search does include reporting commands, all options should be available except Event list.

For the Schedule section you can determine how the underlying search works in relation to the panel. Here you have a tradeoff: recency of data displayed versus panel load speed.

If you want the most recent data available to appear in the panel, choose Run search each time dashboard loads. When you load the dashboard, the panel will run the search. If it's a slow-running search, you may have to wait a few moments to see the results in the panel.

If you want your panels to load quickly and don't mind that the data is not fully up-to-date, choose 'Run scheduled search instead. When you choose this option you need to select an interval upon which the search will be run, such as every hour or every day at midnight. You can also define a custom interval schedule using standard cron notation..

Click Finish to save your dashboard panel. When you do this:

  • The underlying search will be saved. You can review it at Manager > Searches and Reports.
  • A new dashboard will be created (if you selected that option).
  • A new panel that uses the underlying search will be added to the selected dashboard.

To edit the panel, or the dashboard as a whole, go to the dashboard you've added the panel to (you should be able to find it in the Dashboards & Views menu towards the top of the page}. You can change the underlying search with the Search Editor and change the way the dashboard visualizes the search data with the Visualization Editor. And you can update the dashboard layout with the Dashboard Editor. See the following subtopic for more information about all of these features.

Create and edit dashboards with the Dashboard Editor

The Dashboard Editor enables you to:

  • Create dashboards and then populate them with panels.
  • Rearrange dashboard panels through a simple drag-and-drop interface.
  • Use a Search Editor to edit the base searches of dashboard panels.
  • Use a Visualization Editor to reformat visualizations for dashboard panels.

To access the Dashboard Editor, click Dashboards & Views in the app navigation bar towards the top of the page (when in the Search app) and then click Create dashboard....

The Search Editor enables you to modify the search and includes an option to test the search before saving your changes.

The Visualization Editor enables you to specify how returned data is displayed in a dashboard. You can select the visualization type (such as tables, lists of events, charts, and single-value displays) and you can specify how the visualizations appear and behave. (To see a list of the available visualization types and the formatting options associated with them, see the "Visualization reference" topic in this manual.

If you want to create complex dashboards with features such as form inputs and special drilldown actions, edit the XML implementing the dashboard. Refer to "Forms: An Introduction" and "Introduction to advanced views" in the Developer Manual for more information on creating and editing complex dashboards.

Note: A common workflow for creating complex dashboards is to first use the Dashboard Editor to create and lay out the panels. Use the Search Editor and Visualization Editor to fine tune the search and change or modify the visualization of returned data. Then edit the XML as needed to implement any additional functionality. Advanced features of the dashboard may require using Advanced XML, as described in "Introduction to advanced views" in the Developer Manual.

The following sections provide examples of how to use the Dashboard Editor, Search Editor, and Visualization Editor to create and edit a simple dashboard.

Use the Dashboard Editor to create a dashboard with two panels

This example shows you the basics of the Dashboard Editor. It shows how to create a dashboard with two panels, one panel based on a saved search and the other based on an inline search that you specify. It also shows how to rearrange the panels in the dashboard using drag and drop.

The searches used in this example are based on the Flower Shop Tutorial described earlier in this manaul. However, you can substitute the searches in this example with any similar type of search.

1. Select Dashboards & Views > Create Dashboard. After providing an ID and a name for the dashboard, the Dashboard Editor opens.

  • Specify TestDashboard and "Test Dashboard" for the ID and the name, then click Create....
  • The initial dashboard is empty and the editing feature is Off.


2. Click Edit: On.


Next, click New Panel.

  • Specify "Errors in the last 24 hours" for the Title
  • Select the saved search, "Errors in the last 24 hours"
  • Click Save, to add the panel to the dashboard


3. Click New Panel to add an additional panel to the dashboard:

  • Specify "Flower Store Price Difference (Last 7 days)" for the Title
  • Select inline search and specify the following for the search:

sourcetype=access_* | stats values(product_name) as product by price, flowersrus_price | eval difference = price - flowersrus_price | table product, difference

  • Specify a time range of -7d to now.
Note: For information about defining search time ranges with relative time syntax (a set start and end time) see "Change the time range to narrow your search" in this manual. For information about setting up real-time searches and real-time search windows, see "Search and report in real time" in this manual.
  • Click Save.

4. Click and drag the newly added panel, placing it to the right of the initial panel.

5. Click Edit: Off to turn off the editing feature.

The dashboard is now available for use. You can access the dashboard from the Dashboard & Views menu.

Note: When in editing mode, the Dashboard Editor resizes a panel so it is smaller than the actual size, showing only the top portion of the panel. When you turn off editing mode, the entire panel is visible.


Modify the search in a panel

Use the Search Editor to modify the search for a panel. The Search Editor also provides an option to test the search before you save it. The editing options available to you differ for inline searches and saved searches.

Inline searches

For inline searches, the Search Editor provides the following options:

  • Replace the inline search with a saved search (If you select this option, the Search Editor displays the options for saved searches, listed below.)
  • Modify the search string
  • Modify the time range
  • Run the search to preview the results

Saved searches

For saved searches, the Search Editor provides the following options:

  • Select a different saved search
  • Edit the search in Splunk Manager
  • Replace the saved search with an inline search (If you select this option, the Search Editor displays the options for inline searches.)
  • Run the search to preview the results

Note: If you want to edit a saved search query, either change the search to an inline search or edit the search query in Splunk Manager. You cannot edit a saved search query directly in the Search Editor.

Search Editor example

1. If editing mode for the test dashboard is not enabled, click Edit: On.

2. In the Flower Store Price Difference panel, select Edit > Edit Search.

3. Edit the search string and specify a time range of -1mon to now.


4. Click Run search to test the new search, which opens in a new tab or window of your browser.

5. Close the test run, click Save.

6. in the Errors in the Last 24 Hours panel, select Edit > Edit Search.

7. Click Edit in manager. The saved search opens in the Splunk Manager. Modify the search and click Save.

Change dashboard panel visualizations

After you create a panel with the Dashboard Editor, use the Visualization Editor to change the visualization type displayed in the panel, and to determine how that visualization displays and behaves.

The Visualization Editor only allows you to choose from visualization types that have their data structure requirements matched by the search that has been specified for the panel. For example, if the search does not include reporting commands such as such as stats, chart, timechart, top, or rare, it won't enable you to choose a chart visualization type.

You can find a detailed breakdown of the visualization definition options presented by the Visualization Editor in "Edit dashboard panel visualizations," in this manual.

Note: For information on the types of visualizations available, refer to the "Visualization Reference" topic in this manual. For information on Splunk drilldown features, refer to "Understand basic table and chart drilldown actions."

Visualization Editor example

The following example shows how to modify the two panels in the Test Dashboard created in the previous example. "Edit dashboard panel visualizations" in this manual provides additional information and examples on creating and editing visualizations.

1. If editing mode for the test dashboard is not enabled, click Edit: On.

2. In the Errors in Last 24 Hours Panel, click Edit > Edit Visualization.

3. Make the following edits in the Visualization Editor:

  • For Visualizations, select Events.
  • For Row numbers, select No.
  • For Wrap results, select Yes.

Note: As you can see in the screenshot, these are the options that are available for the Events visualization type. Other visualization types, such as tables, charts, and single-value visualizations, will provide other options. See either the "Visualization reference" or "Edit dashboards with the Visualization Editor" topics in this manual for more information.


4. Click Save, then click Edit: Off.

The panel now displays errors as a wrapping list

5. In the dashboard, click Edit: On.

6. In the Flower Store Price Difference panel, select Edit > Visualization.

7. Make the following edits in the Visualization Editor:

  • For Drilldown, select Cell.
  • For Row numbers, select No.
  • For Data overlay, select Heat Map.

8. Click Save, then click Edit: Off.

Notice your visualization changes, including that drilldown is enabled for the Product cells.


Edit the XML configuration of a dashboard

You can also edit a dashboard and the panels it contains by editing the XML configuration for the dashboard. This provides editing access to features not available from the Dashboard Editor. For example, edit the XML configuration to change the name of dashboard or specify a custom number of rows in a table.

1. If editing mode for the Test Dashboard is not enabled, click Edit: On.

2. Click Edit XML to open the Splunk XML Editor for the Test Dashboard.

Change the name of the dashboard to "My Dashboard" and specify 5 rows for the Flower Store Price Table, as indicated in the code sample:

<?xml version='1.0' encoding='utf-8'?>
  <label>My Dashboard</label>
      <searchName>Errors in the last 24 hours</searchName>
      . . .
     . . .
      <title>Flower Store Price Difference (Last 7 days)</title>
      <option name="count">5</option>
      . . .

For more information about editing XML for dashboards created with the Dashboard Editor, see "Dashboards: An Introduction" in the Developer manual.

Change dashboard permissions

You can specify access to a dashboard from the Dashboard Editor. However, your user role (and capabilities defined for that role) may limit the type of access you can define.

For example, if your Splunk user role is user (with the default set of capabilities), then you can only create dashboards that are private to you. You can, however, provide read and/or write access to other users.

If your Splunk user role is admin (with the default set of capabilities), then you can create dashboards that are private, visibile in a specific app, or visible in all apps. You can also provide access to other Splunk user roles, such as user, admin, and other roles with specific capabilities.

For additional information on user roles, capabilites, and permissions refer to "Share and promote knowledge objects" in the Admin manual.

Edit permissions for an admin user

The following example shows how an admin user can specify permissions for a dashboard.

Note: For other user roles, such as user, the choices for permissions in the Dashboard Editor are a subset of the choices available to the admin user.

1. If editing mode for the test dashboard is not enabled, click Edit: On.

2. In the Dashboard Editor, select Edit permissions

3. Specify the views in which the dashboard is visible. choose from the following:

  • Keep private: The dashboard is only visible to the user who created it. In this example, the admin user.
  • This app only (app name): Dashboards can be visible to a specific app. app name refers to the app that you were in when you created the dashboard. From the Manager pages, you can change the app specific to a dashboard.
  • All apps: The dashboard is visible from all apps.


4. Specify the user roles that have access, and their type of access.

  • You can specify that the dashboard is visible to all users, or you can select a combination of different user roles.
  • Specify the Read and Write permissions for each role you select.

5. Select Save and click Edit: off.

Manage dashboard navigation

Because dashboards are a type of view, by default any new dashboard appears in the View drop-down list in the Splunk Web navigation menu. Edit the XML behind the navigation menu to:

  • Change the the location of unclassified dashboards. You can move dashboards to existing lists (or "view collections") in the navigation menu, or create new lists for them.
  • Create nested collections (view collections within navigation bar lists) that classify similar dashboards together. For example, under your Dashboards dropdown, you could have a "Web Server" collection that groups together a set of dashboards that display different kinds of firewall information for your web server.

Note: Navigation is managed on an app by app basis. If your dashboard has been promoted globally to all of the apps in your system, it initially appears in the default drop-down list for "unclassified" views in those apps' top-level navigation menus. Users with write permissions for those apps can move the dashboard to its proper location in the app navigation menus as appropriate.

For an overview of navigation menu management see "Define navigation for saved searches and reports" in the Knowledge Manager manual.

If you have write permissions for your app, you can access its navigation menu XML by opening Manager, clicking Navigation Menus, and then clicking the name of the navigation menu for your app. See the "Build navigation for your app" topic in the Developer manual for details about working with the navigation menu code.

Delete panels and dashboards

You can delete panels from a dashboard using the Dashboard Editor or editing the XML configuration. You delete a dashboard from Splunk Manager. You must be logged in as an admin and have permission to delete the dashboard.

Delete a panel from a dashboard

1. If editing mode for the dashboard is not enabled, click Edit: On.

2. For the panel, select Edit > Delete.


2. Click Edit XML and delete the XML code implementing the panel.

Delete a dashboard

1. Login as an admin user and go to Manager > User interface > Views.

2. Locate the dashboard in the list of views. Locate the Delete link under Actions (visible if you have permissions to delete the dashboard). Click Delete.

Splunk default dashboards
Edit dashboard panel visualizations

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


This page is missing a next link at the bottom.

Rmuresan arc
March 1, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters