Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Dashboards overview: What you can do with Splunk Web and XML

Splunk provides a range of options when it comes to dashboards. You can create fairly sophisticated dashboards with a minimum of effort simply by using the tools that we provide in Splunk Web, and this is enough for many users. But if you're willing to delve into the XML upon which the dashboards are based, the range of things that you can do with your Splunk dashboards expands dramatically.

This overview covers the functionality available via these approaches to dashboard construction and maintenance, to help you decide which way to go. It also provides a look at the especially handy Splunk Dashboard Examples app, a valuable resource for anyone interested in creating useful, dynamic dashboards.

About views, dashboards, and forms

Every page in a Splunk app is a view. For example, the search timeline page in the Search app is a default view that ships with that app. If you design your own apps you can construct views for them.

Dashboards are one of the most common types of views, and they are among the easiest to build. Each dashboard is made up of panels that can contain charts, tables, event lists, HTML, and text. Most dashboard panels are hooked up to searches that kick off when the dashboard is loaded, providing you with up-to-the-moment metrics and analysis. You can design dashboards that provide insight into just about any aspect of your IT data, from real-time breakdowns of online sales revenue to lists and charts detailing recent firewall attacks and other security concerns.

A form is similar to a dashboard in that it includes the same kinds of panels--event lists, tables, charts, and so on. But a form provides an interface that enables users to provide values for the searches that power the form's panels, typically using open fields, drop-down lists, or radio buttons.

To design a form, you have to work directly with the view XML. You can't create forms in Splunk Web.

Dashboards: What you can do with Splunk Web

You can easily make dashboards with Splunk Web. Use the Dashboard Editor to create new dashboards and edit existing dashboards. Use the "Panel Editor" to change or update panels in your dashboard. You can quickly create dashboard panels that are based on both new and saved searches and reports, rearrange a dashboard's panel order, and much more. You can also access and edit dashboard XML via the Splunk Web interface.

With the tools available to you in Splunk Web, you can:

  • Quickly create a dashboard panel that's based on a search that you've just run.
  • Use drag-and-drop functionality to manually organize dashboard layouts.
  • Create dashboard panels of different types: event lists, tables, charts, and single value visualizations.
  • Control basic formatting for event lists, tables, charts, gauges, and single value panel types.
  • Manage basic drilldown functionality for event list, table, and chart panel types.
  • 'Edit base searches for dashboard panels'--you can choose a saved search or edit them inline.
  • Generate a PDF of the dashboard with a button click.
  • Arrange to have dashboard PDFs sent to stakeholders via email on a schedule.
  • Access and edit the dashboard XML.
  • Manage basic permissions at the dashboard level, and advanced permissions in Manager.

For more information about dashboard design with Splunk Web, see "Create and edit dashboards via the UI" in this manual.

Dashboards and forms: What you can do with XML

Splunk provides two levels of view XML for dashboard development. Simple XML is the easiest to use and is tremendously versatile. We cover its usage in this manual.

Advanced XML is best suited for extending core Splunk as well as top-to-bottom app development, but it does offer a few capabilities that simple XML lacks. It's discussed in the Developing Views and Apps for Splunk Web Manual.

Simple XML

When you edit the simple XML for an existing dashboard (or build a dashboard from scratch in simple XML) you can do everything covered by the Splunk Web list, above. In addition, you can:

  • Control a much wider range of dashboard panel formatting properties. Use the custom chart configuration reference to customize the appearance of your charts and gauges.
  • Configure advanced, dynamic drilldown behaviors (such as drilldown clicks that take users to a second dashboard).
  • Create HTML panels, which display static text, images, and HTML formatting.
  • Configure panels where one chart is overlaid over another. Splunk's charting library includes special chart types designed specifically for overlay purposes.
  • Design forms that:
    • Include text boxes, dropdown lists, and dynamic radio buttons.
    • Have different searches for each panel that all make use of the input from the form controls (text box, list, or radio button)
    • Make use of post-process searches (searches whose results are "post-processed" by child panels, using reporting commands like timechart, chart, and stats).
    • Auto-run on page load with a default value. Users can rerun the page after it loads with different values if they wish.

To learn how to create more sophisticated dashboards with simple XML, start with "Build and edit dashboards with simple XML" in this manual.

To learn how to create forms with simple XML, see "Build and edit forms with simple XML" in this manual.

Advanced XML

If you can't achieve what you want with simple XML you might consider moving to advanced XML. As we mentioned before, advanced XML is not so much for dashboard or form construction--it's best used for designing new apps. Apps are made of modules, and advanced XML enables you to specify how these modules are wired up and how data flows between them.

When it comes to dashboards and forms, with advanced XML you can design complex dashboards and forms that:

  • Include custom CSS to modify their appearance.
  • Make use of switchers, which enable tabs or dropdown lists that can switch the panel content or UI controls (imagine a single panel that can be switched between four different visualizations with different base searches)
  • Make use of listers--dropdown lists or lists of links that are dynamically populated with search results (such as the 10 source types with the most data indexed over the hour preceding page load) and which can carry out a variety of actions when a specific list value is clicked or selected. Among other things, listers can:
    • Drive multiple elements in a dashboard or form.
    • Be chained together (a selection in one lister determines the options available in another one)
    • Be used in forms as well as dashboards

To learn more about designing apps, dashboards, and forms using advanced XML, start by reading "About advanced XML" in the Developing Views and Apps for Splunk Web Manual.

The Splunk Dashboard Examples app

When it comes to learning dashboard and form design in all three formats--Splunk Web, simple XML, and advanced XML--the Splunk Dashboard Examples app can be an invaluable resource. This app provides a cornucopia of dashboard and form examples of all ranges of complexity--more than 50 in all. Each example dashboard comes with a text explanation of how it works and a link to the dashboard source code.

The Splunk Dashboard Examples app will come in handy whether you're a novice at simple XML or a seasoned expert with advanced XML.

Go to Splunk Base to download the Splunk Dashboard Examples app and install it in your Splunk instance.

Splunk Dashboard Examples app-1.png

Save reports and share them with others
Splunk default dashboards

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters