Here are some examples of custom dashboards that you can use to base your own custom dashboard off of. These should be used only as examples and must be modified to fit your datasets.
Put custom dashboards in $SPLUNK_HOME/etc/system/local/prefs.conf. For help on creating dashboards, see this page.
This is an advanced custom search dashboard example using Twiki. Edit the searches and display options to customize this example for your own dataset.
This defines the modules for the Twiki dashboard. The first module is a custom _text module, the 2nd, 3rd, 4th are all custom 'columns of blue links' modules.
dashboardset_twiki = TwikiIntro,Twiki saved searches,Twiki activity last 24 hours,Twiki activity last 7 days,Users editing in the last 24 hours,Pages edited in the last 24 hours
Note: The $+ is important, as we don't want to blow away the custom list, but rather append to existing ones.
dashboard_customList = Twiki activity last 7 days,Twiki activity last 24 hours,TwikiIntro,Twiki saved searches,$+
Custom list entries must have a *_searches and a *_labels entry (even if the *_labels one is empty). If you have only one search in the *_searches list, it can return as many results as you want, and it will split the rendering up into 2 and 3 columns.
dashboard_customList_Twiki_saved_searches_searches = ['| admin mysavedsearches | where stanza LIKE "Twiki%" | rename stanza as name query as term | sort name'] dashboard_customList_Twiki_saved_searches_labels =
Note: If you have more than one search in *_searches, you MUST limit the results to 15 by whatever means you choose. This is to defeat the auto-column-splitting feature referred to above, which renders poorly. You must use *_labels when there is more than one search in the *_searches key. They appear as subheaders above the respective results.
dashboard_customList_Twiki_activity_last_24_hours_searches = ['sourcetype="twiki" ( save OR edit ) starthoursago="24" | top limit=15 twikiuser | eval term="( save OR edit ) ".twikiuser | rename twikiuser as name | rename count as rowCount', 'sourcetype="twiki" ( attach OR upload ) starthoursago="24" | top limit=15 twikiuser | eval term="(attach OR upload) ".twikiuser | rename twikiuser as name | rename count as rowCount'] dashboard_customList_Twiki_activity_last_24_hours_labels = Edits, Uploads
dashboard_customList_Twiki_activity_last_7_days_searches = ['sourcetype::twiki edit startdaysago::7 | where date_hour>20 OR date_hour<5 | top limit=15 twikiuser | eval term="edit ".twikiuser." | where date_hour>20 OR date_hour<5" | rename twikiuser as name | rename count as rowCount', 'host::twiki view | where twikiuser=twikipage | top limit=15 twikiuser | rename twikiuser as name | rename count as rowCount | eval term="host::twiki view ".name." | where twikiuser=twikipage"','host::twiki *kickoff* save startdaysago::7 | top limit=15 twikipage | rename twikipage as name count as rowCount | eval term="host::twiki \"*kickoff*\" | where twikipage=\".twikipage.\""' ] dashboard_customList_Twiki_activity_last_7_days_labels=Insomnia,Profile updates,Edited pages with 'kickoff' in the title. (replace kickoff with anything you want to keep an eye on)
dashboard_customList_TwikiIntro_text =\ With this app enabled, you'll get\ <ul>\ <li>some extracted fields like twikiuser, twikipage, twikiaction</li>\ <li>some event types, like twikiViews, twikiEdits, twikiUploads</li>\ <li>some field actions, some that go to the live twiki, some that launch 'show source' style viewers within Splunk </li>\ <li>Some shared dashboard charts, as you see here</li>\ <li>Some custom 'blue link' modules that show various useful little searches and breakdowns</li>\ <li>Also there's a <a href="http://spacecake:28000/?s=Twiki%20-%20template%20for%20Twiki%20homepage%20by%20hour%20of%20day" target="_top">Form Search</a> template for viewing distribution of classes of events split by hour of the day. </li>\ </ul>\
Here is a copy of prefs.conf for the PCI application's custom dashboards.
dashboard_customList_Saved_searches_searches = ['| admin mysavedsearches | where stanza NOT LIKE "PCI%" | rename search AS term stanza as name | fields name,term | sort +name'] dashboard_customList_Saved_searches_labels = dashboard_customList = PCI active reports,PCI inactive reports,PCI,$+ dashboard_customList_PCI_active_reports_searches = ['| admin mysavedsearches | where stanza LIKE "PCI-Req% " | rename search AS term stanza as name | fields name,term | sort +name'] dashboard_customList_PCI_active_reports_labels = dashboard_customList_PCI_inactive_reports_searches = ['| admin mysavedsearches | where stanza LIKE "PCI - %" | rename search AS term stanza as name | fields name,term | sort +name'] dashboard_customList_PCI_inactive_reports_labels = dashboard_customList_PCI_searches = ['| admin mysavedsearches | where stanza LIKE "PCI-Req%" | rename sear ch AS term stanza as name | fields name,term | sort +name'] dashboard_customList_PCI_labels =
This takes all of your saved searches and displays them on the dashboard based on whether the name of the saved search (stanza name) matches the filter. For example:
dashboard_customList = PCI active reports,PCI inactive reports,PCI,$+ dashboard_customList_PCI_active_reports_searches = ['| admin mysavedsearches | where stanza LIKE "PCI-Req% " | rename search AS term stanza as name | fields name,term | sort +name'] dashboard_customList_PCI_active_reports_labels =
The above lists all the saved searches where the name begins with PCI-Req. This makes it easy to organize saved searches by name.