Build and edit dashboards with simple XML
Saved searches and dashboards
Before building a dashboard, you may want to create some saved searches. Familiarize yourself with Splunk's search language, create some searches that highlight the important aspects of your data, and then integrate them into dashboards. Dashboards allow you to then visualize data returned from searches in the form of charts, graphs and links. If you are creating Dashboards with Splunk's Dashboard Editor tools, you can run a search to see the results before you save it to the panel you are editing.
Resources for creating searches
If you have never worked with Splunk's search language before, read the Search Manual section "Search Overview." Create searches to highlight the most relevant aspects of your data and support your user's goals. The Search Reference Manual provides additional information on searching with Splunk, including a section on how to "Write better searches," a "Search command cheat sheet," and a complete "Reference to Splunk search commands."
Saved searches and permissions
You can save searches a number of ways:
- Splunk Web
- Splunk Manager
- Search Editor (for saving inline searches using Splunk's Dashboard Editor tools)
savedsearches.confin your app or user directory
After saving a search, make sure permissions for the search allow access by users of the dashboard.
You can specify the following for a search:
- Private Only you have access to the search
- Available in an app The search is available only from the app in which it was created
- Available in all apps' Essentially, the search is public.
You can also specify Read and Write permissions, based on user roles.
Save searches from Splunk Web
When saving the search from Splunk Web, specify permissions for the search. You can keep the search private or share the search with other users of the app.
Save searches from Splunk Manager
When creating searches with Splunk Manager, by default the search is private. After creating the search, in Splunk Manager, edit the permissions so users accessing your dashboard can run the search.
1. Select Manager > Searches and reports > New.
2. In the Add new screen, create your search and select Save.
3. In the list of searches, find your newly created search and select Permissions.
4. Specify the following:
- Available in the app in which it was created
- Available in all apps
Also specify Read and Write permissions for user roles.
5. Click Save.
Save searches from the Search Editor
"Create and edit dashboards using Splunk Web" in this manual describes how to add panels and searches to a dashboard. You can select either a saved search or an inline search for a panel in a dashboard.
If you select an inline search, edit permissions for the dashboard to set permissions for the search. See "Change dashboard permissions" in this manual for details.
Saved searches configuration file
When you save a search, Splunk writes information about the search to the
For private searches, Splunk places
savedsearches.conf in your user directory:
For searches saved to an app, Splunk places
savedsearches.conf in the following app directory:
Resources for saved searches
For details on creating and managing saved searches, refer to Save searches and save search results in the Splunk Knowledge Manager manual.
For details on the
savedsearches.conf, refer to the online version of the savedsearches.conf spec file.
About creating dashboards
There are several ways to create a Splunk dashboard:
- Use the Splunk Dashboard Editor to interactively create a dashboard (recommended)
- Use the Splunk Manager to create a dashboard from a new view
- Use the Splunk Manager to clone an existing dashboard which you can then modify
- Create a dashboard from an XML file
All three of these options leverage Splunk's simple XML. Once you create a dashboard, you can always edit the simple XML upon which the dashboard is based.
Dashboard owners and permissions
Splunk dashboards are either private to a user, available to users of an app, or available to all users.
Splunk places private dashboards in the following location:
Splunk places dashboards available to users of an app (or available to all users) in the following location:
You can change the read and write permissions to a dashboard for users, based on their Splunk user roles.
Splunk Dashboard Editor
Use the Splunk Dashboard Editor to interactively create and edit dashboards. From the Dashboard Editor you add panels, create and edit searches for each panel, modify the visualizations representing the returned data, and specify permissions for the dashboard.
When using the Dashboard Editor, you do not have to edit any XML code. However, to enhance the dashboard you can always edit the simple XML upon which the dashboard is based.
Create a dashboard from an XML file
You can create dashboards directly in an XML file and place the file in the appropriate directory in your Splunk installation. Use simple XML as described in this chapter. See "Dashboard owner and permissions" in this manual for the location of source dashboard files.
After copying the dashboard file to the appropriate directory refresh Splunk by navigating to the refresh EAI object page. This makes your dashboard visible without having to restart Splunk. For example, go to:
Alternatively, you could restart Splunk to make your new dashboards visible.
Splunk's simple XML syntax
Use Splunk's simple XML syntax to create and edit basic dashboards. Refer to Overview of simple XML for an introduction to simple XML syntax for creating dashboards and forms. See the Splunk Panel Reference for details on specifying visualizations for panels.
The following sections of this chapter walk you through the steps of developing a dashboard using simple XML.
New with Splunk 5.0, you can specify custom drilldown actions in simple XML using the
<drilldown> tag. Within the
<drilldown> tag you specify links to another dashboard, form, or to any external website. The value upon which the user clicks is passed to a linked form or external website.
Refer to Dynamic drilldown in dashboards and forms for details.
Here is the simple XML code for a sample dashboard:
<dashboard> <label>Dashboard using simple XML</label> <row> <html> <h1>HTML Panel</h1> <p>Use this panel to display <b>HTML-formatted text</b>.</p> <p> This dashboard example displays search results as a table, a chart, and a radial gauge. </p> </html> </row> <row> <!-- Inline search, display as a table --> <table> <title>High CPU processors (inline search)</title> <searchString> index="_internal" source="*metrics.log" group="pipeline" | chart sum(cpu_seconds) over processor | sort -sum(cpu_seconds) | rename sum(cpu_seconds) as "Total CPU Seconds" </searchString> <earliestTime>-60m</earliestTime> <latestTime>now</latestTime> <option name="showPager">true</option> </table> <!-- Saved search, display as a table --> <chart> <title>High CPU processors (saved search)</title> <searchName>Pipeline processors with most processor time</searchName> <option name="height">400px</option> </chart> <!-- Display a chart --> <chart> <title>Splunk server log events</title> <searchString> index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events </searchString> <earliestTime>-1d</earliestTime> <latestTime>now</latestTime> <option name="charting.chart">radialGauge</option> <option name="charting.chart.rangeValues">[0,500,5000,10000]</option> <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option> <option name="count">10</option> <option name="displayRowNumbers">true</option> </chart> </row> </dashboard>
And here is the sample dashboard:
Overview of simple XML
Build and edit forms with simple XML
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18