Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Advanced dashboard configuration

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Advanced dashboard configuration

Not all modules are available in the simple dashboard configuration. Use these instructions if you'd like to make a more sophisticated dashboard, using modules that aren't available in the simple dashboard configuration.

Configuration

Here's a general overview of how to build a dashboard:

  1. Decide how to visualize and display your data. For example, you may want to showcase your search results in a graph or you may want to present a list of links to search results.
  2. Construct searches.
  3. Build panels for each search.
  4. Construct your dashboard from the panels you've built.
  5. Finally, layout your dashboard panels. For more information on how to build a dashboard, read more about dashboard layout.

Decide how to visualize your data

First, decide how you want to showcase your data with the available modules. The results modules are the most useful modules to display search results in dashboards.

Construct searches

You can include searches in your dashboard panels in one of two ways:

1. Create the search, save it and run it on a schedule. Then reference the search results from your dashboard with the HiddenSavedSearch module. If you have a lot of users accessing your dashboard or the search takes a while to return, this is the best method.

2. Reference the search string directly in the dashboard panel with the HiddenSearch module. The HiddenSearch module runs your search every time the dashboard loads, so it works best if the search returns results quickly and there are only a few users accessing the dashboard at any given time.

Build panels

A panel is a set of results displayed in a dashboard. Dashboards can contain any number of panels. Each panel usually has only one search associated with it, via the HiddenSearch or HiddenSavedSearch module. Display results from the search in a results module, like a chart or a link list.

Here's an example panel from the tutorial dashboard:

Image:panel.jpg

And here's the XML behind this panel: 

 <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="Messages per minute last hour" autoRun="True">
   <param name="search">search index=_internal eps group=per_source_thruput NOT filetracker Metrics | eval events=eps*kb/kbps | timechart sum(events)</param>
   <param name="earliest">-1h</param>
   <module name="ResultsHeader">
     <param name="entityName">scanned</param>
     <param name="entityLabel">Events</param>
     <module name="FlashChart">
       <param name="height">180px</param>
       <param name="width">100%</param>
     </module>
   </module>
 </module>

Notice that there are only 3 modules in this panel -- HiddenSearch, ResultsHeader and FlashChart. HiddenSearch generates all the search results and FlashChart displays them. ResultsHeader displays a header with the amount of events searched by HiddenSearch.

Since HiddenSearch is the parent module, it takes a few other settings like layoutPanel, group and autoRun. LayoutPanel denotes where to place the panel within the dashboard. Group is a header that displays at the top of the panel. AutoRun indicates that the search in the panel should be run upon loading the page. Generally, you'll want to set autoRun = true.

Construct your dashboard

Now you've got a few panels showcasing your search results. You're ready to put these panels together into a complete dashboard. Here are the overall steps for constructing a dashboard:

1. Create the dashboard's XML file.

2. Layout your panels in the order you want them to display.

Create the dashboard's XML file

Add your dashboard to $SPLUNK_HOME/etc/apps/<your_app>/default/ui/views/. Then, open the XML file for editing. Start by adding the following: 

<view template="dashboard.html">

This specifies that you're using the dashboard template. Dashboard views use a different Mako template than the default template used by search views, so you must specify this template at the beginning of your dashboard's XML file.

You can also set the refresh rate here by adding a refresh=<seconds> tag. This will rerun your HiddenSearches, or get any new HiddenSavedSearch results.

This example sets the dashboard to refresh automatically every 30 seconds.: Edit the existing XML which should like like, 

<view template="dashboard.html">

to include refresh="30" 

<view refresh="30" template="dashboard.html">

Next, add the chrome. This works exactly like the search view: 

  <label>Tutorial Dashboard</label>
  <module name="AccountBar" layoutPanel="navigationHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>

Optionally add the search bar. This will let users launch searches from the dashboard: 

 <module name="SearchBar" layoutPanel="mainSearchControls">
    <param name="useAssistant">true</param>
    <param name="useTypeahead">true</param>
    <module name="TimeRangePicker">
      <param name="selected">This month</param>
      <module name="ViewRedirector">
        <param name="viewTarget">simple_search_view</param>
      </module>
    </module>
  </module>

Note: Add the ViewRedirector module to launch your searches in a different view.

Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Developer/ConfigureDashboard"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.