Splunk® Light (Legacy)

Search and Reporting Examples

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Add tables to a dashboard

Tables are an easy way to visualize your data. In this scenario, you create two tables using different search syntax.

Use the table command to generate a table

To build a table, you can use a table command. The table command is a generating command. Generating commands fetch information from the indexes, without any transformations. In this scenario, make a table of your event type, source type and hour data to visualize your activity.

  1. Click Search on the Splunk Light bar.
  2. Type the following into the search bar.

    index=os /var/log sourcetype!=ps

    This lists all events within /var/log that are not of source type ps.
  3. To add fields to the Selected Fields, click All Fields.
  4. Select date_hour and event type. These fields are now included in the search results.
  5. Type the following into the search bar.

    index=os /var/log sourcetype!=ps | table eventtype sourcetype date_hour | sort -date_hour

    This displays a table with the columns in the same order as they are typed.
  6. Click Save As and click Dashboard Panel.
  7. Add your table to your existing dashboard.
  8. Name your panel Event and source type by time.
  9. Click Save.
  10. To view your changes, click View Dashboard.

Create a table from a search

You can create a table using a series of pipes. In this scenario, create a table of process counts by user.

  1. Click Search on the Splunk Light bar.
  2. Type the following into the search bar.

    sourcetype=ps | stats count(user) by user | sort -count(user)

    This creates a table of users and process counts, organized by highest process count.
  3. Click Save As, and click Dashboard Panel.
  4. Add your table to your existing dashboard.
  5. Name your panel Process counts by user.
  6. Click Save.
  7. To view your changes, click View Dashboard.

Your dashboard now contains five panels: two prebuilt panels, one powered by an inline search, and two table panels.

Last modified on 10 August, 2016
PREVIOUS
Add a dashboard panel from a search
  NEXT
Add a single value panel to a dashboard

This documentation applies to the following versions of Splunk® Light (Legacy): 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters