Splunk® Enterprise

Splunk Enterprise Scenarios

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Add dashboard interactivity

Scenarios lastStep db interactive.png

You're almost done!

The dashboard needs interactive features so that users can find more details about hackers and targeted accounts. Complete the dashboard by adding the following three panels.

  • A table showing the IP addresses of the five hackers responsible for the most failed authentication attempts.
  • A drilldown table showing the user accounts targeted by a selected hacker.
  • A drilldown map showing the location associated with the IP address of a selected hacker.

Part 1: Add a table showing the top five hackers

  1. Run a search that generates a table of the five IP addresses responsible for the most failed logins.
    sourcetype=secure failed | top 5 clientip
  2. Select the Statistics tab to view the results table. Observe that the table includes a percentage column. The last two columns are named for the clientip field and the failed login count.
  3. Adjust the search to remove the percentage column and rename the last two columns.
    sourcetype=secure failed | top 5 clientip showperc=f | rename clientip as "Hacker" count as "Failed Logins"
  4. Run the updated search and check the Statistics tab. The new table now has just the two columns you want and more descriptive column titles.
  5. Select Save As>Dashboard Panel.
  6. Add the panel to your existing Failed Logins dashboard with the panel title, Top Five Hackers.
  7. Click Save.
  8. Click View Dashboard.
    The dashboard now includes a table showing the top five hacker IP addresses.

Part 2: Set up a drilldown from the hackers table

In this scenario, users might want more information about the hackers listed in the table. Make the table more interactive so that users can click on a hacker IP address to see a list of user accounts that the hacker has targeted.

You can use a drilldown to implement this interactivity. Follow the next steps to set up a drilldown between the table and a new panel that lists targeted user accounts.


  1. From the dashboard, select Edit > Edit Source to open the XML dashboard source code.
  2. Scroll to the bottom of the page to find the XML for the "Top 5 hackers" table.
  3. Create a drilldown that uses a token to capture the hacker IP address that a user selects in the table.
    To do this, add the following XML immediately below the <search>...</search> tags.
              <set token="hackerip">$click.value$</set>
  4. Observe that the XML code defines a new token, "hackerip". This token is like a programming variable. The token is set up to capture a value from a clicked table row. You can reference the token in a search using this notation $hackerip$.
  5. Click Save to return to the dashboard.

Part 3: Add the new table

At this point, the "Top 5 hackers" table has a drilldown and token set up to capture the IP address that a user selects. Now you can add a table for targeted accounts. The search that drives the new table uses the captured token value to show targeted accounts for that IP address.


  1. From the dashboard, select Edit> Edit Panels > Add Panel. A list of panel options opens.
  2. Select New > Statistics Table to create a new table. A table settings panel opens.
  3. Use the settings panel to add the following table components.
    • Title: $hackerip$ targeted accounts
    • Search string:
      sourcetype=secure clientip="$hackerip$" | stats count by username | sort -count
    Observe that the new search looks for events where the clientip field contains the $hackerip$ token value. The search also aggregates events by username and sorts them in descending order.
  4. Click Add to Dashboard and close the table settings panels.
    The new panel now appears at the bottom of the dashboard. It does not show any data yet because the panel only populates when a user clicks on an IP address from the "Top 5 hackers" table.
  5. Click on an IP address in the "Top 5 hackers" table to try out the drilldown. The new table should populate.

Part 4: Adjust the dashboard layout and table display

Make room in the dashboard for the last panel.

  1. Select Edit > Edit Panels. Click and drag the new panel so that appears to the right of the "Top 5 hackers" panel.
  2. Click Done in the upper right corner to commit these edits.
  3. Make more room for the next panel. To do this, adjust the targeted accounts panel to show fewer rows.
    1. Select Edit > Edit Panels.
    2. Click on the paintbrush icon in the Targeted accounts panel. The Format menu opens.
    3. Change the Rows per page setting to 5.
    4. Close the Format menu. The bottom panels are now aligned and leave room for the last panel.
  4. Click Done in the upper right corner to commit these edits.
  5. The updated dashboard should now look like this.
    Scenarios db panels aligned pre-map.png

Part 5: Create a drilldown map showing hacker locations

Add a final panel to the dashboard to show hacker IP addresses on a map. This new panel uses a drilldown from the "Top 5 hackers" panel to generate the map.


  1. Select Edit > Edit Panels > Add Panel. A panel options list opens.
  2. Select New > Map. Add the following panel settings.
    Title: Hacker location
    Search string:
    sourcetype=secure failed clientip="$hackerip$" | dedup clientip | iplocation prefix=cip_ clientip | geostats latfield=cip_lat longfield=cip_lon count
    Observe that this search looks for events where the clientip field contains the $hackerip$ value selected from the "Top 5 hackers" table. It also removes duplicate values for the clientip field and generates latitude and longitude coordinates for the hacker IP address. The search counts events with the same latitude and longitude.
  3. Click Add to Dashboard.
  4. Close the table settings panel and click Done to save the edits.
  5. Try out the new drilldown by clicking on an IP address in the "Top 5 hackers" table. The "Targeted accounts" and "Hacker location" panels should populate. The completed dashboard looks like this.
    Scenarios completed db.png


Congratulations! You now have an interactive dashboard that offers many kinds of information at a glance.

To learn more about the concepts and tools included in this scenario, see the following resources.

To learn about See
  • Writing searches
  • Transforming and other commands

Search Manual
Search Reference

  • Fields and field extractions
Knowledge Manager Manual
  • Creating and editing visualizations
  • Creating and editing dashboards
  • Drilldown interactivity
  • Simple XML
  • Tokens
Dashboards and Visualizations
  • Additional custom dashboard implementation examples
Dashboard Examples app
Last modified on 17 April, 2017
Customize dashboard panels

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters