Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Splunk default dashboards

Splunk's Search app comes packaged with a set of useful dashboards that also serve to demonstrate a few different configurations of our search and reporting modules. As such, they could help you come up with some ideas of how you might want to design some dashboards and views of your own.

Summary dashboard

The Summary dashboard is the first thing you see as you enter the Search app. It provides a search bar and time range picker which you can use to input and run your initial search. Below that, you'll find some elemental indexing metrics for this instance of Splunk, all of which are generated by inline searches and saved searches linked to the dashboard. You'll find a count of the total amount of events indexed, and the timestamps for the earliest and latest events indexed.

You'll also see lists displaying the various sources, sourcetypes, and hosts indexed by your Splunk instance, ordered by the total amount of events indexed for each field. Select a list item to kick off a search for occurrences of that particular field.

Summary dash example 4.3.png

Note: Keep in mind that index permissions are set at the role level. This means that viewers of the Summary dashboard can only see indexing information for indexes that they have permissions to see, according to their role. For more information about users, roles, and role-based index permissions, see the "Add and manage users" section of Securing Splunk.

Not finding the events you're looking for?

When you add an input to Splunk, that input gets added relative to the app you're in. Some apps, like the *nix and Windows apps, write input data to a specific index (in the case of *nix and Windows, that is the os index). If you review the summary dashboard and you don't see data that you're certain is in Splunk, be sure that you're looking at the right index. You may want to add the index that an app uses to the list of default indexes for the role you're using. For more information about roles, refer to the topic about roles in Securing Splunk.

Status dashboards

The Search app includes five collections of dashboards that display different kinds of Splunk status information. You can find in the Status menu on the app navigation bar near the top of the page.

Note: These dashboards are only visible to users with Admin role permissions. For more information about users and roles, see the "Add and manage users" section in Securing Splunk. For more information about setting up permissions for dashboards, see the Knowledge Manager manual.

  • Search activity - This dashboard collection provides at-a-glance info about search activity for your Splunk instance. You can find out when searches are running, the amount of load they're putting on the system, which searches are the most popular, which search views and dashboards are getting the most usage, and more.
  • Index activity - This collection of dashboards expands upon the basic indexing statistics presented in the summary dashboard. You'll see the total events indexed (broken out by index), the top five indexed sourcetypes, the indexing rate by sourcetype over the past 24 hours, lists of indexing errors, and a number of other useful stats.
  • Server activity - This small collection of dashboards provides metrics related to splunkd and Splunk Web performance. You'll find the numbers of errors reported, lists of the most recent errors, lists of timestamping issues and unhandled exceptions, a chart displaying recent browser usage, and more.
  • Inputs activity - This dashboard displays information about your Splunk inputs. You can see your most recently processed files and your most recently ignored files.
  • Scheduler activity - This collection of dashboards gives you insight into the work of the search scheduler, which ensures that both ad hoc and scheduled searches are run in a timely manner.

Manage views

The Manage views link in the Views list takes you to the Views page in Manager, where you can review and update the views that you have permission to manage, change their permissions, and add new views. To create or update views here you need to be familiar with XML and have an understanding of how views are developed in Splunk. For more information see the Developers manual.

Note: You can also get to the Views page by navigating to Manager > User interface > Views.

Dashboards overview: What you can do with Splunk Web and XML
Create and edit dashboards via Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters