Use report-rich dashboards and views

Use report-rich dashboards and views

Splunk's Search app comes packaged with a set of useful dashboards and views that also serve to demonstrate a few different configurations of our search and reporting modules. As such, they may help you come up with some ideas of how you might want to design some dashboards and views of your own.

Every page in a Splunk app is a view. Views are collections of modules, such as search bars, timeline displays, link lists, and results tables. For example, you could construct a view that uses a preloaded search to populate a customized result display that fits the look and feel of your organization's website. For more information about creating views for your own Splunk apps, see "Search views" in the Developer manual.

Dashboards are a type of view. Each dashboard is made up of panels that can contain modules such as search boxes, fields, charts, tables, and lists. Many panels are hooked up to preset and saved searches that kick off when the dashboard is loaded, providing you with up-to-the-moment metrics and analysis.

Note: Learn how to get basic dashboards up and running using Splunk's visual dashboard editor. For more information, see "Create simple dashboards with the dashboard editor" in this manual.

To learn how to create more sophisticated dashboards, see the "Build dashboards" section of the Developer manual.

Summary dashboard

The Summary dashboard is the first thing you see as you enter the Search app. It provides a search bar which you can use to input and run your initial search. Below that, you'll find some elemental indexing metrics for this instance of Splunk, all of which are generated by inline searches and saved searches linked to the dashboard. You'll find a count of the total amount of events indexed, as well as lists display the various sources, sourcetypes, and hosts indexed by your Splunk instance, ordered by the total amount of events indexed for each field. Select a list item to kick off a search for occurrences of that particular field.

Note: Keep in mind that index permissions are set at the role level. This means that viewers of the Summary dashboard can only see indexing information for indexes that they have permissions to see, according to their role. For more information about users, roles, and role-based index permissions, see the "Add and manage users" section of the Admin manual.

Not finding the events you're looking for?

When you add an input to Splunk, that input gets added relative to the App you're in. Some Apps, like the *nix and Windows Apps that ship with Splunk, write input data to a specific index (in the case of *Nix and Windows, that is the 'os' index). If you review the summary dashboard and you don't see data that you're certain is in Splunk, be sure that you're looking at the right index. You may want to add the 'os' index to the list of default indexes for the role you're using. For more information about roles, refer to the topic about roles in the Admin Manual.

Status dashboards

The Search app includes four dashboards that display different kinds of Splunk status information. You can find them under Status in the top-level navigation bar.

Note: These dashboards are only visible to users with Admin role permissions. For more information about users and roles, see the "Add and manage users" section of the Admin manual. the Admin manual. For more information about setting up permissions for dashboards, see the Knowledge Manager manual.

• Admin activity - This dashboard displays various metrics related to basic Splunk application performance. Included are the numbers of errors reported for Splunkd and Splunk Web, lists of the most recent errors, timestamping issues, and unhandled exceptions, and the "average splunkd access delay this hour (in ms)."
• Search activity - This dashboard provides at-a-glance info about recent search activity for the Splunk instance. You can see how your users are searching with it, who is running the most searches, which searches are the most popular, and view a selection of metrics related to search run times (which users are running the longer searches, which searches are taking the longest, search load over the past 24 hours, and so on).
• Index activity - This dashboard presents a range of statistics about the current indexing activity in the Splunk instance. You'll see the total events indexed (broken out by index), the top five indexed sourcetypes, the indexing rate by sourcetype over the past 24 hours, lists of indexing errors, and a number of other useful stats.
• Inputs activity - This dashboard displays information about your Splunk inputs. You can see your most recently processed files and your most recently ignored files.

Advanced charting view

Under Views in the top-level navigation bar, you can find the Advanced charting view. This example of view construction enables you to build charts without opening up a separate Report Builder window. Enter a search that uses reporting language into the search bar, and the resulting chart appears in the results area.

Manage views

The Manage views link in the Views list takes you to the Manage views page in Manager, where you can review and update the views that you have permission to manage, change their permissions, and add new views. To create or update views here you need to be familiar with XML and have an understanding of how views are developed in Splunk. For more information see the Developers manual.