Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Build and edit dashboards with simple XML

Saved searches and dashboards

Before building a dashboard, you may want to create some saved searches. Familiarize yourself with Splunk's search language, create some searches that highlight the important aspects of your data, and then integrate them into dashboards. Dashboards allow you to then visualize data returned from searches in the form of charts, graphs and links. If you are creating Dashboards with Splunk's Dashboard Editor tools, you can run a search to see the results before you save it to the panel you are editing.

Resources for creating searches

If you have never worked with Splunk's search language before, read the Search Manual section "Search Overview." Create searches to highlight the most relevant aspects of your data and support your user's goals. The Search Reference Manual provides additional information on searching with Splunk, including a section on how to "Write better searches," a "Search command cheat sheet," and a complete "Reference to Splunk search commands."

Saved searches and permissions

You can save searches a number of ways:

  • Splunk Web
  • Splunk Manager
  • Search Editor (for saving inline searches using Splunk's Dashboard Editor tools)
  • savedsearches.conf in your app or user directory

After saving a search, make sure permissions for the search allow access by users of the dashboard.

You can specify the following for a search:

  • Private Only you have access to the search
  • Available in an app The search is available only from the app in which it was created
  • Available in all apps' Essentially, the search is public.

You can also specify Read and Write permissions, based on user roles.

Save searches from Splunk Web

When saving the search from Splunk Web, specify permissions for the search. You can keep the search private or share the search with other users of the app.

Save search.png

Save searches from Splunk Manager

When creating searches with Splunk Manager, by default the search is private. After creating the search, in Splunk Manager, edit the permissions so users accessing your dashboard can run the search.

1. Select Manager > Searches and reports > New.

2. In the Add new screen, create your search and select Save.

3. In the list of searches, find your newly created search and select Permissions.

4. Specify the following:

Specify:

  • Private
  • Available in the app in which it was created
  • Available in all apps

Also specify Read and Write permissions for user roles.

EditPermissions.png

5. Click Save.


Save searches from the Search Editor

"Create and edit dashboards using Splunk Web" in this manual describes how to add panels and searches to a dashboard. You can select either a saved search or an inline search for a panel in a dashboard.

If you select an inline search, edit permissions for the dashboard to set permissions for the search. See "Change dashboard permissions" in this manual for details.

Saved searches configuration file

When you save a search, Splunk writes information about the search to the savedsearches.conf file.

For private searches, Splunk places savedsearches.conf in your user directory:

$SPLUNK_HOME/etc/users/<user_name>/search/local/savedsearches.conf

For searches saved to an app, Splunk places savedsearches.conf in the following app directory:

$SPLUNK_HOME/etc/apps/<app_name>/local/savedsearches.conf

Resources for saved searches

For details on creating and managing saved searches, refer to Save searches and save search results in the Splunk Knowledge Manager manual.

For details on the savedsearches.conf, refer to the online version of the savedsearches.conf spec file.

About creating dashboards

There are several ways to create a Splunk dashboard:

  • Use the Splunk Dashboard Editor to interactively create a dashboard (recommended)
  • Use the Splunk Manager to create a dashboard from a new view
  • Use the Splunk Manager to clone an existing dashboard which you can then modify
  • Create a dashboard from an XML file

All three of these options leverage Splunk's simple XML. Once you create a dashboard, you can always edit the simple XML upon which the dashboard is based.

Dashboard owners and permissions

Splunk dashboards are either private to a user, available to users of an app, or available to all users.

Splunk places private dashboards in the following location:

$SPLUNK_HOME/etc/users/<user>/<app>/local/data/ui/views/<dashboard_name.xml>

Splunk places dashboards available to users of an app (or available to all users) in the following location:

$SPLUNK_HOME/etc/apps/<app>/local/data/ui/views/<dashboard_name.xml>

You can change the read and write permissions to a dashboard for users, based on their Splunk user roles.

Splunk Dashboard Editor

Use the Splunk Dashboard Editor to interactively create and edit dashboards. From the Dashboard Editor you add panels, create and edit searches for each panel, modify the visualizations representing the returned data, and specify permissions for the dashboard.

When using the Dashboard Editor, you do not have to edit any XML code. However, to enhance the dashboard you can always edit the simple XML upon which the dashboard is based.

To read more about the Dashboard Editor, see "Create and edit dashboards using Splunk Web" and "Edit dashboard visualizations," both in this manual.

Create a dashboard from an XML file

You can create dashboards directly in an XML file and place the file in the appropriate directory in your Splunk installation. Use simple XML as described in this chapter. See "Dashboard owner and permissions" in this manual for the location of source dashboard files.

After copying the dashboard file to the appropriate directory refresh Splunk by navigating to the refresh EAI object page. This makes your dashboard visible without having to restart Splunk. For example, go to:

http://localhost:8000/en-US/debug/refresh

Alternatively, you could restart Splunk to make your new dashboards visible.

Splunk's simple XML syntax

Use Splunk's simple XML syntax to create and edit basic dashboards. Refer to Overview of simple XML for an introduction to simple XML syntax for creating dashboards and forms. See the Splunk Panel Reference for details on specifying visualizations for panels.

The following sections of this chapter walk you through the steps of developing a dashboard using simple XML.

Dynamic Drilldown

New with Splunk 5.0, you can specify custom drilldown actions in simple XML using the <drilldown> tag. Within the <drilldown> tag you specify links to another dashboard, form, or to any external website. The value upon which the user clicks is passed to a linked form or external website.

Refer to Dynamic drilldown in dashboards and forms for details.

Sample dashboard

Here is the simple XML code for a sample dashboard:

<dashboard>
  
  <label>Dashboard using simple XML</label>
  
  <row>
    <html>
      <h1>HTML Panel</h1>
      <p>Use this panel to display <b>HTML-formatted text</b>.</p>
      <p>
        This dashboard example displays search results
        as a table, a chart, and a radial gauge.
      </p>
    </html>
  </row>

  <row>    
    <!-- Inline search, display as a table -->
    <table>
      <title>High CPU processors (inline search)</title>
      <searchString>
         index="_internal" source="*metrics.log" group="pipeline"
         | chart sum(cpu_seconds) over processor
         | sort -sum(cpu_seconds)
         | rename sum(cpu_seconds) as "Total CPU Seconds"
      </searchString>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="showPager">true</option>
    </table>

    <!-- Saved search, display as a table -->
    <chart>
      <title>High CPU processors (saved search)</title>
      <searchName>Pipeline processors with most processor time</searchName>
      <option name="height">400px</option>
    </chart>
    
    <!-- Display a chart -->
    <chart>
      <title>Splunk server log events</title>
      <searchString>
         index=_internal source="*splunkd.log"
         ( log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL)
         | stats count as log_events
      </searchString>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">radialGauge</option>
      <option name="charting.chart.rangeValues">[0,500,5000,10000]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
      <option name="count">10</option>
      <option name="displayRowNumbers">true</option>
    </chart>
  </row>   

</dashboard>

And here is the sample dashboard:

Viz SampleDashboard.png

PREVIOUS
Overview of simple XML
  NEXT
Build and edit forms with simple XML

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Deping, we don't really publish the schema in the docs, but in the Splunk 6 version of this manual there is a detailed Simple XML Reference and Chart Configuration Reference. There are some differences between Splunk 5 and Splunk 6, but the implementation is essentially the same.<br /><br />The actual implemented schema is based on RelaxNG, and you can view the schema formats from Splunk Web. For a locally installed version of Splunk:<br /><br />http://localhost:8000/info<br /><br />On the info page, you can view the RelaxNG compact schema format for "view."

Vgenovese
November 1, 2013

very good.<br />But where can we find the schema of view's XML file?

Deping chen
November 1, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters