Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Dashboard examples

This topic walks you through the steps for creating a dashboard and adding visualizations.

Create the dashboard

You can create a dashboard directly from Splunk Manager.

1. Go to Manager > User interface > Views.

2. Click New and specify the following:

  • Destination app Select an app from the dropdown list of all available apps in your Splunk instance.
  • View name Specify a name for the dashboard. The name you specify becomes a node in the path to the dashboard. Only alphanumeric characters and '-' and '_' can be used.
  • View XML Specify the simple XML to create your dashboard. The following is the minimal XML to create a blank dashboard:
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Minimal Dashboard</label>
</dashboard>
  • Click Save.

3. (Optional) Modify permissions.

By default, the dashboard you create from Splunk Manager is private. In the Views page of Splunk manager, click Permissions for your dashboard to specify an app (or all apps) for the dashboard and to set permissions for users of the dashboard.

Add rows

Dashboards contain rows. Each row can contain up to three panels. Each panel typically contains a single search and displays a visualization of that search. However, you can group two or more panel visualizations into a single column within a row.

This step shows how to add rows and also how to add rows that contain panel groups. "Add Panels" shows how to add panels to the rows.

Add rows to a dashboard

Add two rows to a dashboard using the <row> tag. Rows can accommodate up to three panels.

<dashboard>
    <label>My dashboard</label>
    <row>
     . . .
    <!-- Up to three panels -->
     . . .
    </row>
    <row>
     . . .
    <!-- Up to three panels -->
     . . .
    </row>
</dashboard>

Create a panel group for a row

Group panels together within a row by adding a grouping attribute to the <row> tag. The following example groups two panels into a single column:

<dashboard>
    <label>My dashboard</label>
    <row grouping="2">
    . . .
    <!--The two panels to be grouped-->
    . . .
    </row>
</dashboard>

You can group panels into columns on the left or right sides within a single row. The following example creates a single row of panels, separated into two columns, with 3 panels grouped in the left column and 2 panels grouped in the right column:

<dashboard>
    <label>My dashboard</label>
    <row grouping="3,2">
    . . .
    <!-- The five panels to be grouped into two columns-->
    . . .
    </row>
</dashboard>
Note: Panel groups affect the Splunk Dashboard Editor. The Dashboard Editor cannot add or edit panels for a dashboard containing grouped panels. All additional edits must be done in the underlying XML code.

Add panels

Each row in a dashboard can contain up to three panels. Each panel contains a search (a saved search or an inline search specific to that panel) and a visualization of the results returned from that search. There's no limit to how many rows you can have in a dashboard.

The visualization can be any of the following:

  • A table
  • An event listing
  • A list
  • A chart
  • A single value
  • A gauge representing a single value

Panels can also display information coded for HTML. These panels do not have searches and visualizations associated with them.

See the "Visualization Reference" in this manual for details on tables, charts, single values, and gauges that you can use in a panel.

See Panel Reference for Simple XML for details on implementation of various panels.

Add panels to rows

To add a panel to a row in a dashboard, add the tags defining the type of panel. The following example adds three panels: an event listing, a table, and a chart.

<dashboard>
 <label>My dashboard</label>
  <row>
   <event>
   . . .
   </event>
   <table>
   . . .
   </table>
   <chart>
   . . .
   </chart>
  </row>
</dashboard>


Configure panels

Configure panels by specifying the following:

  • Search for the panel
  • Properties available to all panels
  • Properties specific to types of panels

Add a search

Searches can be a saved search or an inline search specific to that panel. Saved searches run on the schedule for the search. Inline searches run when the panel loads.

Saved search Use the <searchName> tag to specify a saved search. Saved searches must be shared with all users and roles who access the dashboard. Any saved search for a panel must contain an entry in savedsearches.conf in the app's default or local directory, or the search must be shared globally with all apps.

Inline search Use the <searchString> tag to specify an inline search. Inline searches run every time the dashboard is accessed. If you have a long running search, or there are many users accessing a dashboard, an inline search may create a high load on your Splunk instance. For inline searches you can optionally specify a time range for the search.

The following example shows a dashboard with two panels showing a saved search and an inline search. The inline search displays results from the last week. "Build a real-time dashboard" in the Developing Views and Apps for Splunk Web manual shows how to build a search with a real-time dashboard.

<dashboard>
 <label>My dashboard</label>
 <row>

   <chart>
   <searchName>My saved report</searchName>
   </chart>

   <chart>
    <searchString>host=production | top users</searchString>
   <earliestTime>-7d</earliestTime>
   <latestTime>now</latestTime>
   </chart>

  </row>
</dashboard>

Properties available to all panels

Simple XML provides a set of tags that define properties that can be applied to all panels. The following table summarizes some of these tags.

Tag Description
<title> String

Add a title to your panel, such as Failed logins. The title displasy at the top of the panel.

<fields> Comma-separated list of field names.

Restrict your search results to specific fields.

<earliestTime> Splunk time format

Restrict search results to a specific time window, starting with the earliestTime. Specify "rt" to enable real-time searches.

<latestTime> Splunk time format.

Restrict search results to a specific time window, ending with the latestTime. Specify "rt" to enable real-time searches.


The following example shows a panel with a chart visualization, a title, and an inline search. The search results are restricted to a 5 hour window and to three fields:

<dashboard>
 <label>My dashboard</label>
  <row>

   <chart>
    <title>Top users, five hours ago</title>
    <searchString>host=production | top users</searchString>
    <earliestTime>-10h</earliestTime>
    <latestTime>-5h</latestTime>
    <fields>host,ip,username</fields>
   </chart>

  </row>
</dashboard>

Properties specific to types of panels

Each type of panels has specific options that are only available to that panel. <option> tags define those properties, using the name attribute. For example, if you specify a panel with a table visualization, use the <option> tag to specify how many rows to display and whether to display row numbers.

The following example specifies options for a <table> panel.

<dashboard>
 <label>My dashboard</label>
 <row>

    <table>
      <searchName>Errors in the last 24 hours</searchName>
      <title>Errors in the last 24 hours</title>
      <option name="count">15</option>
      <option name="displayRowNumbers">true</option>
      <option name="maxLines">10</option>
      <option name="segmentation">outer</option>
      <option name="softWrap">true</option>
    </table>

  </row>
</dashboard>


The following example specifies a column chart visualization, with display names for the X and Y axes.

<dashboard>
 <label>My dashboard</label>
 <row>

    <chart>
      <searchString>
          sourcetype=access_* method=GET | timechart count by categoryId 
          | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Stacked)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.axisTitleX.text">Views</option>
      <option name="charting.axisTitleY.text">Date</option>
      <option name="charting.chart">column</option>
    </chart>

  </row>
</dashboard>

Add a chart

Splunk provides a variety of chart visualizations, such as column, line, area, scatter, and pie charts. These visualizations require transforming searches (searches that use reporting commands) whose results involve one or more series. For more information on the chart visualizations available, see the "Charts" section of the "Visualization Reference" in this manual.

Configure the chart panel

The following example displays information from an inline search as a column chart. The columns in the chart "stack" the data returned from the search.

<dashboard>
 <label>My dashboard</label>
 <row>

    <chart>
      <searchString>
         sourcetype=access_* method=GET | timechart count by categoryId
         | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Stacked)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">column</option>
      <option name="charting.axisTitleX.text">Views</option>
      <option name="charting.axisTitleY.text">Date</option>
    </chart>

 </row>
</dashboard>

The inline search is based on a version of the Splunk tutorial. The search for this panel is a transforming search, using reporting commands.

The <title> tag displays a title for the panel. The panel also restricts the time range for results reported.

The three <option> tags specify the type of chart to display, and labels for the X and Y axes.


Set chart specific options

For basic configuration of charts, refer to the "Chart panel entry" in the Panel reference for Simple XML.

There are many additional configurations you can make to customize the appearance of a chart. Refer to the Splunk Custom Chart Configuration Reference for details. Custom configuration options include:

Add a table

The table panel displays search results in a sortable table. You can display results in a table from just about any search, but the most interesting tables are generated from searches that include transform operations. For example, a search that uses reporting commands such as stats, chart, timechart, top, or rare. Any fields you want to display in your table should be explicitly added to your search.

For more information on table visualizations, refer to the "Tables" section the "Visualization Reference" topic in this manual.

Configure the table panel

The following example displays information on processes with high CPU usage. It specifies a custom row count of 15, removes the display of row numbers, and includes a heat map overlay highlighting extreme values.

<dashboard>
 <label>My dashboard</label>
  <row>

    <table>
      <searchString>
          index="_internal" source="*metrics.log" group="pipeline" 
          | chart sum(cpu_seconds) over processor | sort -sum(cpu_seconds) 
          | rename sum(cpu_seconds) as "Total CPU Seconds"
      </searchString>
      <title>High CPU processors</title>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">15</option>
      <option name="dataOverlayMode">heatmap</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>
    </table>

  </row>
</dashboard>

For basic configuration of charts, refer to the "Table panel entry" in the Panel reference for Simple XML.

Add a list

The list panel displays search results in a list. It's particularly useful if you have a search that generates a set of fields you want to link to.

Configure the list panel

The following example creates a list of links for the to field in the Top recipients search. The <list> tag specifies a list visualization. You must also specify the field to generate labels for the list and the field to populate the values. Use the <option name="labelField"> to create a label for each item in the list and <option name="valueField"> to generate values for each item.

<dashboard>
 <label>My dashboard</label>
  <row>
   <list>
    <searchName>Top recipients</searchName>
    <option name="labelField">to</option>
    <option name="valueField">to</option>
   </list>
  </row>
</dashboard>

This example references a saved search called Top recipients. Make sure this saved search is shared with all users and roles who access this dashboard. Any saved search referenced in searchName must exist in savedsearches.conf in the App's default or local directory or be set as global.

Configure list specific options

You can set other configuration options that are only available for list panels, such as the sort direction of the list and the search and view the list links to. For example, the following example sets the initial sort in descending order and links to another view from which to launch the search:

<dashboard>
 <label>My dashboard</label>
  <row>
   <list>
    <title>Top users</title>
    <searchString>host=production | top users</searchString>
    <option name="labelField">users</option>
    <option name="valueField">users</option>
    <option name="initialSortDir">desc</option>
    <option name="labelFieldTarget">My custom search view</option>
   </list>
  </row>
</dashboard>

For basic configuration of lists, refer to the "List panel entry" in the Panel reference for Simple XML.

Add HTML

The HTML panel displays inline HTML. Splunk display the contents between the HTML tags according to any specified HTML formatting. The HTML panel is a great way to add documentation, links, images, and other Web content to your dashboard.

Relative link references are relative to the current view location.

Configure the HTML panel

Here's an example of an HTML panel. To access the saved searches, the href attribute to the anchor tag uses the special Splunk locator, @go?s=.

<dashboard>
 <label>My dashboard</label>
  <row>
    <html>
      <p>This is an <i><b>HTML panel</b></i> providing links to saved searches.</p>
      <ul>
        <li><a href = "@go?s=Errors in the last 24 hours">Errors in the last 24 hours</a></li>
        <li><a href = "@go?s=My second search">Errors in the last hour</a></li>
        <li><a href = "@go?s=My second search">Splunk errors last 24 hours</a></li>
       </ul>
    </html>
  </row>
</dashboard>


The HTML panel does not use any of the other general panel options and there are no specific options to set for HTML. All the configuration goes into the HTML itself.

For basic configuration of HTML panels, refer to the "HTML panel entry in the Panel reference for Simple XML.

Add a single value and gauges

The single value panel displays a single value from search data as text on button. If you base the visualization on a real-time search that returns a single value, the number displayed changes as the search interprets incoming data.

You can also specify single values as gauges, as described below.

Note: The single value visualization is best used with a search that returns a single value. If your search specifies multiple values, the single value visualization takes its number from the first row or first column of the search data.

You can change the color of the button depending on the value of the number it displays, creating a green/yellow/red visualization.

Configure a single value panel

The following example shows how to add a single value to a dashboard, recording the total number of logging events. It also displays text before and after the displayed value.

<dashboard>
 <label>My dashboard</label>
  <row>
    <single>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="afterLabel">total logging events</option>
      <option name="beforeLabel">Found</option>
    </single>
  </row>
</dashboard>

Set the color of the panel

You can change the text color of the single value depending on the values returned from the search. To change colors on your single results panel do the following:

  • Set up your search to use the rangemap command.
  • Add the classField option, setting the value to range.

Here is the same single value panel in the previous example, but setting color ranges for green, yellow, and red.

<dashboard>
 <label>My dashboard</label>
  <row>
    <single>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
          | rangemap field=log_events low=1-100 elevated=101-300 default=severe
      </searchString>
      <title>Log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="classField">range</option>
      <option name="afterLabel">total logging events</option>
      <option name="beforeLabel">Found</option>
    </single>
  </row>
</dashboard>

Configure button specific options

For basic configuration of single value panels, refer to the "Single value panel entry" in the Panel reference for Simple XML.

Panels displaying gauges

Gauge visualizations map a single numerical value against a range of colors that may have particular business meaning or logic. As the value changes over time, the gauge marker changes position within this range. Gauges provide a dynamic visualization for real-time searches – the fluctuating returned values cause the gauge marker to visibly bounce back and forth within the range.

Splunk provides three types of gauge visualizations: radial, filler, and marker. For more information, see the "Gauges" section of the "Visualization reference" in this manual.

Gauges are a type of chart visualization. You use the <option> tag to specify the type of gauge. Gauges by default are displayed with a rich set of graphics (shiny). You can specify a minimal version of a gauge, which uses less graphics.

The following example illustrates all three gauges in a row on a dashboard. The first gauge is a radial gauge that displays minimal graphics. The others use the default shiny graphics. The gauges in this example use the same search for logging events that was used for a single value panel above. Typically, you use a real-time search for gauges.

<dashboard>
  <label>Gauges</label>
  <row>
    <chart>
      <option name="charting.chart">radialGauge</option>
      <option name="charting.chart.style">minimal</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
    </chart>

    <chart>
      <option name="charting.chart">fillerGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
    </chart>

    <chart>
      <option name="charting.chart">markerGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
      <searchString>
          index=_internal source="*splunkd.log" ( log_level=ERROR 
          OR log_level=WARN* OR log_level=FATAL 
          OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
    </chart>    
  </row>
</dashboard>

Add an event listing

An event visualization is essentially a raw list of events. You can get event visualizations from any search that does not include a transform operation. Transform operations use reporting commands such as stats, chart, timechart, top, or rare.

Configure the event listing panel

The following example displays access errors as a list of events. The search for the panel is from a saved search.

This panel specifies the following:

  • Display 15 rows of returned data
  • Do not include the row numbers
  • Include a maximum of 10 lines of data for each event
  • Wrap long lines of returned data
<dashboard>
  <label>Event Listing Dashboard</label>
  <row>
    <event>
      <searchName>Errors in the last 24 hours</searchName>
      <title>Errors in the last 24 hours</title>
      <option name="count">15</option>
      <option name="displayRowNumbers">false</option>
      <option name="maxLines">10</option>
      <option name="softWrap">true</option>
    </event>
  </row>
</dashboard>


Configure event listing specific options

For basic configuration of event listings, refer to the "Event panel entry" in the Panel reference for Simple XML.

Configure a dashboard with dynamic drilldown

Dynamic drilldown allows you to specify another Splunk view or a web page to link to from a field in the search results. To implement dynamic drilldown in a dashboard, do the following:

  • Add a <drilldown> tag to the visualization listing search results.
  • Within the <drilldown> tag, add one or more <link> tags
  • Within each <link> tag, specify either a Splunk view or web site to link to.
  • Specify the value of the results to use for the drilldown action. For example:
    • Specify a field name that can be used as a sourcetype for a Splunk view.
    • Specify a value that can be passed to a website.

Drilldown example linking a dashboard to a form

The following example displays information on processes with high CPU usage. It specifies a custom row count of 15 and removes the display of row numbers.

When a user clicks on a value in the specified column, the value clicked is passed to another form.

Note: This examples assumes that you have a view, FormSearchDrillDown, available at the specified location.

<dashboard>
 <label>My drilldown dashboard 2</label>
  <row>

    <table>
      <searchString>
          index="_internal" source="*metrics.log" group="pipeline"
          | chart sum(cpu_seconds) over processor | sort -sum(cpu_seconds) 
          | rename sum(cpu_seconds) as "Total CPU Seconds"
      </searchString>
      <title>High CPU processors</title>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">15</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>
      
     <drilldown>
       	   <link field="processor">
              /app/ui_examples/FormSearchDrillDown?form.processor=$row.series$
          </link>
          <!-- <link>http://splunk-base.splunk.com/integrated_search/?q=$click.value2$</link> -->
     </drilldown>      
    </table>

  </row>
</dashboard>

Drilldown example linking to a web site

This is essentially the same example as linking to another Splunk view. However, in this example, when you click on a value it opens in a new site with the values specified as a REST parameter to this site. The $click.value2$ token captures the value clicked by the user.

When the user clicks on a value, Splunk Answers opens with a query using that value. To implement this example, replace the <drilldown> code in the previous example with the following code:

        <!-- $click.value2$ captures the value clicked by the user -->
        <!-- and passes it to the website as REST parameter        -->
        <drilldown>          
          <link>http://splunk-base.splunk.com/integrated_search/?q=$click.value2$</link>
        </drilldown>


Build a real-time dashboard

You can build a real-time dashboard using the Splunk Dashboard Editor, coding the dashboard using simple XML, or using Splunk's Advanced XML. This topic provides an example of creating a real-time dashboard using simple XML.

For information on building a dashboard using Advanced XML, see "How to build a real-time dashboard" in the Advanced Web customization section of this manual.

Enable real-time searching

Use the <earliestTime> and <latestTime> params to enable real-time searching. For example, if you want to enable real-time searching and display the data in a table, specify the following:

<table>
    <title>Look here for errors that you need to care about</title>
    <searchName>Errors in the last 24 hours</searchName>
    <fields>host, source, errorNumber</fields>
    <earliestTime>rt</earliestTime>
    <latestTime>rt</latestTime>
</table>

You can also set a window for your real-time dashboard. For example, if you want to show real-time events but only from the last 5 minutes.

<table>
    <title>Look here for errors that you need to care about</title>
    <searchName>Errors in the last 24 hours</searchName>
    <fields>host, source, errorNumber</fields>
    <earliestTime>rt-5m</earliestTime>
    <latestTime>rt</latestTime>
</table>

For more information on setting a search window, see "Specify real-time time range windows in your search" in the Search Manual.

Example illustrating three row dashboard with various visualizations

This dashboard example contains several rows illustrating various panels you can create with simpleXML.

Note: Because this dashboard illustrates grouping of panels, you cannot edit this dashboard in the Splunk Dashboard Editor.

First row

  • HTML panel Displays a basic message and lists a few links to saved searches.
  • Table panel Displays high CPU usage in the past hour, specifying 10 rows of data, no row numbers, and overlaying a heat map to highlight high values.
  • Event panel Displays results of a saved search as a listing of events. Displays 5 rows of results at a time, and wrapping of events is off.
<dashboard>
  <label>Dashboard example</label>
  <row>

    <html>
      <p>This is an <i><b>HTML panel</b></i> providing links to saved searches.</p>
      <ul>
        <li><a href = "@go?s=Errors in the last 24 hours">Errors in the last 24 hours</a></li>
        <li><a href = "@go?s=My second search">Errors in the last hour</a></li>
        <li><a href = "@go?s=My second search">Splunk errors last 24 hours</a></li>
       </ul>
    </html>

    <table>
      <title>High CPU processors in the last hour</title>
      <searchString>
          index="_internal" source="*metrics.log" group="pipeline" 
          | chart sum(cpu_seconds) over processor 
          | sort -sum(cpu_seconds) | rename sum(cpu_seconds) as "Total CPU Seconds"
       </searchString>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">10</option>
      <option name="dataOverlayMode">heatmap</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>
    </table>

    <event>
      <searchName>Errors in the last 24 hours</searchName>
      <title>Errors in the last 24 hours</title>
      <option name="count">5</option>
      <option name="displayRowNumbers">true</option>
      <option name="maxLines">10</option>
      <option name="segmentation">outer</option>
      <option name="softWrap">false</option>
    </event>

   </row>

   . . .

Second row

  • Column chart panel Displays a chart as stacked columns, providing labels for the X and Y axes. The inline search is derived from a version of the Splunk tutorial.
  • Pie chart panel Displays the same search as the column chart panel, but as a pie chart.
   . . . 

  <row>
    <chart>
      <searchString>
        sourcetype=access_* method=GET | timechart count by categoryId 
        | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Stacked)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.axisTitleX.text">Views</option>
      <option name="charting.axisTitleY.text">Date</option>
      <option name="charting.chart">column</option>
      <option name="charting.primaryAxisTitle.text"></option>
      <option name="charting.secondaryAxisTitle.text"></option>
      <option name="count">10</option>
      <option name="displayRowNumbers">true</option>
    </chart>
    <chart>
      <searchString>
        sourcetype=access_* method=GET | timechart count by categoryId 
        | fields _time BOUQUETS FLOWERS
      </searchString>
      <title>Views by product category, past week (Pie Chart)</title>
      <earliestTime>-7d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">pie</option>
      <option name="count">10</option>
      <option name="displayRowNumbers">true</option>
    </chart>
  </row>
   . . .

Third row

This row illustrates various ways to display single values, and provides an example of a panel grouping.

  • Radial gauge panel Displays a radial gauge for an inline search checking all Splunk server log events.
  • Single value button grouped with a marker gauge chart panel Uses the same search as the radial gauge. Note that specifying colors for a single value differs from the gauge charts.
   . . . 
   <row grouping="1,2" >
    <chart>
      <searchString>
        index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN* 
        OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events (Radial Gauge)</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">radialGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
    </chart>
     
    <single>
      <searchString>
         index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN*
         OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events 
         | rangemap field=log_events low=1-100 elevated=101-300 default=severe
      </searchString>
      <title>Log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="classField">range</option>
      <option name="afterLabel">total logging events</option>
      <option name="beforeLabel">Found</option>
    </single>

    <chart>
      <searchString>
        index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN*
        OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events 
      </searchString>
      <title>Splunk server log events</title>
      <earliestTime>-1d</earliestTime>
      <latestTime>now</latestTime>
      <option name="charting.chart">markerGauge</option>
      <option name="charting.chart.rangeValues">[0,100,300,500]</option>
      <option name="charting.gaugeColors">[0x84e900,0xffe800,0xbf3030]</option>
    </chart>
  </row>

</dashboard>

PREVIOUS
Dynamic drilldown in dashboards and forms
  NEXT
Form examples

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters