Build a real-time dashboard
| Important notice: The Advanced XML dashboard framework is officially deprecated. For more information, see Advanced XML Deprecation. |
You can use real-time reporting to show streaming results in dashboards. First, construct a real time search, as described in the real-time search and reporting chapter in the Search Manual. Save this search and add it to your dashboard using the HiddenSavedSearch module.
To enable real-time on your dashboard, add the EnablePreview module to your view XML. For example:
... <module name="EnablePreview"> <param name="enable">true</param> <param name="display">false</param> ...
If you're building an inline search with the HiddenSearch module, you can specify a sliding window for real-time results by setting the earliest and latest params on your HiddenSearch module. For example, the following sets a five minute window, therefore showing streaming results from the most recent five minutes:
... <module name="HiddenSearch" autoRun="True"> <param name="search">host=foo OR bar | top IP</param> <param name="earliest">rt-5m</param> <param name="latest">rt</param> ...
Example
Here is a complete example. This example sets the real-time window to 30 seconds.
<?xml version="1.0"?>
<view template="dashboard.html">
<label>Real time example</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="GenericHeader" layoutPanel="panel_row1_col1" autoRun="True">
<param name="label">My real time search</param>
<module name="HiddenSearch" autoRun="True">
<param name="search">host=foo OR bar | top IP</param>
<param name="earliest">rt-30s</param>
<param name="latest">rt</param>
<module name="EnablePreview">
<param name="enable">true</param>
<param name="display">false</param>
<module name="HiddenChartFormatter">
<param name="chart">area</param>
<param name="primaryAxisTitle.text">Time</param>
<param name="chart.stackMode">default</param>
<param name="secondaryAxisTitle.text">Count</param>
<module name="FlashChart">
<param name="width">100%</param>
<param name="height">250px</param>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
<param name="label">View results</param>
</module>
</module>
</module>
</module>
</module>
</view>
| Customize drilldown options | Turn off autopause |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Download manual
Feedback submitted, thanks!