Add tables to a dashboard

Tables are an easy way to visualize your data. In this scenario, you create two tables using different search syntax.

Use the table command to generate a table

To build a table, you can use a table command. The table command is a generating command. Generating commands fetch information from the indexes, without any transformations. In this scenario, make a table of your event type, source type and hour data to visualize your activity.

1. Click Search on the Splunk Light bar.
2. Type the following into the search bar.

   index=os /var/log sourcetype!=ps

   This lists all events within /var/log that are not of source type ps.
3. To add fields to the Selected Fields, click All Fields.
4. Select date_hour and event type. These fields are now included in the search results.
5. Type the following into the search bar.

   index=os /var/log sourcetype!=ps | table eventtype sourcetype date_hour | sort -date_hour

   This displays a table with the columns in the same order as they are typed.
6. Click Save As and click Dashboard Panel.
7. Add your table to your existing dashboard.
8. Name your panel Event and source type by time.
9. Click Save.
10. To view your changes, click View Dashboard.

Create a table from a search

You can create a table using a series of pipes. In this scenario, create a table of process counts by user.

1. Click Search on the Splunk Light bar.
2. Type the following into the search bar.

   sourcetype=ps | stats count(user) by user | sort -count(user)

   This creates a table of users and process counts, organized by highest process count.
3. Click Save As, and click Dashboard Panel.
4. Add your table to your existing dashboard.
5. Name your panel Process counts by user.
6. Click Save.
7. To view your changes, click View Dashboard.

Your dashboard now contains five panels: two prebuilt panels, one powered by an inline search, and two table panels.