Splunk® Enterprise

Splunk Enterprise Scenarios

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Customize dashboard panels

Scenarios steps customize db.png
The dashboard panels now display information about failed logins. Besides the captions for each value, though, they do not include much context.

Customize the panels so that they are easier to interpret at a glance.

  • Update the single value visualizations to color the values by severity.
  • Streamline the panel layout using Simple XML.

Part 1: Use color to show value severity

Repeat these steps for each panel.

  1. From the dashboard, select Edit> Edit Panels.
    The panels open in an editing mode.
  2. Click the paintbrush icon for one of the panels. The Format menu opens.
  3. In the Color settings panel, set Use Colors to Yes. Configurable colors and ranges appear.
  4. In this scenario, more than 10,000 failed logins are a serious concern. Counts at this level or above should be shown in red. Adjust all of the default ranges to match the following settings.
    Scenarios format edit single val ranges.png
  5. Click Apply.

Part 2: Streamline the dashboard

Display the three single value visualizations in one panel to indicate that they are closely related. Edit the XML source code to change the layout.

Steps

  1. From the dashboard, select Edit > Edit Source to open the XML Editor.
  2. Observe that in the XML source code, each panel is separated by the following tags.
    <panel></panel>
    
  3. Put all of the visualizations into one panel by deleting the </panel> and <panel> tags between the panels.
    Leave the first <panel> and the last </panel> tags in place.
    The edited XML code should look like this.
    <dashboard>
      <label>Failed Logins</label>
      <row>
        <panel>
          <single>
            <search>
              <query>sourcetype=secure failed | stats count</query>
            </search>
            <option name="colorBy">value</option>
            <option name="colorMode">none</option>
            <option name="drilldown">all</option>
            <option name="numberPrecision">0</option>
            <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
            <option name="rangeValues">[0,3000,7000,10000]</option>
            <option name="showSparkline">1</option>
            <option name="showTrendIndicator">1</option>
            <option name="trendColorInterpretation">standard</option>
            <option name="trendDisplayMode">absolute</option>
            <option name="underLabel">Failed attempts</option>
            <option name="unitPosition">after</option>
            <option name="useColors">1</option>
            <option name="useThousandSeparators">1</option>
            <option name="linkView">search</option>
          </single>
          <single>
            <search>
              <query>sourcetype=secure failed "invalid user"  | stats count</query>
            </search>
            <option name="colorBy">value</option>
            <option name="colorMode">none</option>
            <option name="drilldown">all</option>
            <option name="numberPrecision">0</option>
            <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
            <option name="rangeValues">[0,3000,7000,10000]</option>
            <option name="showSparkline">1</option>
            <option name="showTrendIndicator">1</option>
            <option name="trendColorInterpretation">standard</option>
            <option name="trendDisplayMode">absolute</option>
            <option name="underLabel">Invalid accounts</option>
            <option name="unitPosition">after</option>
            <option name="useColors">1</option>
            <option name="useThousandSeparators">1</option>
            <option name="linkView">search</option>
          </single>
          <single>
            <search>
              <query>sourcetype=secure failed  NOT "invalid user" | stats count</query>
            </search>
            <option name="colorBy">value</option>
            <option name="colorMode">none</option>
            <option name="drilldown">all</option>
            <option name="numberPrecision">0</option>
            <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
            <option name="rangeValues">[0,3000,7000,10000]</option>
            <option name="showSparkline">1</option>
            <option name="showTrendIndicator">1</option>
            <option name="trendColorInterpretation">standard</option>
            <option name="trendDisplayMode">absolute</option>
            <option name="underLabel">Valid accounts</option>
            <option name="unitPosition">after</option>
            <option name="useColors">1</option>
            <option name="useThousandSeparators">1</option>
            <option name="linkView">search</option>
          </single>
        </panel>
      </row>
    </dashboard>
    
  4. Click Save. The three visualizations now appear in the same dashboard panel. Scenario dashboard 3panels1.png

Go to the the next step to complete the dashboard.

PREVIOUS
Create visualizations
  NEXT
Add dashboard interactivity

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters