• Overview
  • Introduction and overview
    • Components
    • Appearance
    • REST API
    • Applications
    • Help
• Architecture
  • Components
    • Processes
    • Configuration files
• Splunk Web appearance
  • How Splunk Uses Skins
    • Skins css Files
    • Images/skins directory
  • Add or remove themes
    • Create a new skin
    • Example
  • Dashboard customization
    • Configuration
    • List modules
    • Add search modules
    • Add html modules
    • Link dashboard to user
• REST API
  • Splunk's REST API
    • Using REST Methods
    • Splunk REST endpoint mappings
    • HTTP ports Splunk uses
    • Examples
  • Get started
    • Send a request
    • Get a response
  • Output formats via XML
    • Example Generic Response
    • Example Generic Response with Messaging
    • Generic Response with Messaging (via error codes)
    • Example Atom Feed Response
    • Example Atom Feed with Messaging
    • Example Atom Entry Response
  • SDKs
    • Python SDK
  • Create a custom endpoint
    • Make a custom application directory
    • Write a handler script
    • Configure restmap.conf
    • Restrict endpoint access
    • Add supporting configuration files
• Auth
  • Authentication Methods
    • HTTP header auth
    • HTTP digest
    • URL Parameters
  • Authentication Endpoint
    • Login
  • Authentication examples
    • Command Line
    • Python SDK
    • Other Python example
• Properties
  • Properties Endpoint
    • Properties
    • $FILE_NAME
    • $STANZA_NAME
    • $KEY_NAME
    • PropertiesNS
  • Configuration file access with Python
    • Configuration
    • Example
• Search
  • Search Overview
    • Handling Search Results
    • Result Formats
  • Search Endpoint
    • Jobs
    • Search ID
    • Events
    • Results
    • Timeline
    • Summary
    • Control
  • Search with the Python SDK
    • Create a search
    • Work with search results
    • Examples
  • Custom search scripts
    • Configuration files
    • Working with results
    • Authenticate
    • Example
• Saved
  • Saved Endpoint
    • Searches
    • $SAVED_SEARCH_NAME
• Streams
  • Streams Endpoint
    • Search
    • Livetail
• Applications
  • Developer applications overview
  • Applications Endpoint
    • Local
    • $APP_NAME
    • Remote Entries
    • Remote $APP_NAME
    • Category Path
    • Remote Login
• SplunkBase
  • SplunkBase API
    • Apps
    • Types
    • Category Path
    • Entries
    • App Name
• Legacy
  • Legacy methods
    • $LEGACY_METHOD_NAME

Dashboard customization

Dashboards are landing pages in Splunk Web. By default, Splunk displays dashboards set in $SPLUNK_HOME/etc/system/default/prefs.conf. Dashboards are set on a per user basis. Users can add:

• Saved searches on dashboards.
• Reports on dashboards.

You can make your own dashboard via Splunk Web. However, if you want to customize your dashboard layout, edit the prefs.conf configuration file. Before editing configuration files, read more about how configuration files work.

For custom dashboard examples, please see this section of the Dev Wiki.

Configuration

Set up a new dashboard by configuring modules. Modules are made up of searches or html and appear in separate areas of Splunk Web. Configure new dashboards and modules in $SPLUNK_HOME/etc/system/local/prefs.conf (or your own application directory).

The configuration steps are:

1. List the modules for the dashboard.

2. Add search modules.

3. Add html modules.

4. Attach your dashboard to a user.

List modules

List all the modules you've created for a dashboard. You must put this list first, before you define the modules. You can always come back and add module names to the list.

dashboard_customList = <comma separated list of module names>

• Define custom modules in dashboard_customlist_<MODULE_NAME>_searches and dashboard_customlist_<MODULE_NAME>_text (below).
• Note: You must list all modules for your dashboard here and then define each module below. The MODULE_NAME(s) must match.
  • For example, if you have dashboard_customList = foo then you must also have dashboard_customlist_foo_searches = <any valid search> or dashboard_customlist_foo_text = <any valid html>.
• Add a $+ at the end of your list of module names if you want to append to existing lists.
  • If you leave off the $+, you will obscure any other custom lists that exist in the system.

Example

Here's an example from the Twiki dashboard:

dashboard_customList = Twiki activity last 7 days,Twiki activity last 24 hours,TwikiIntro,Twiki saved searches,$+

This makes all the named search modules (and any other search modules) available to the dashboard.

Add search modules

Search modules are lists of links to customized searches. Clicking a link runs the specified search.

To add a search module to your dashboard, use the following attribute/value pairs:

dashboard_customlist_<MODULE_NAME>_searches = <any validly formatted search>
dashboard_customlist_<MODULE_NAME>_labels = <optionally label your searches>

You can specify any number of these pairs as long as the MODULE_NAME is different for each pair.

dashboard_customlist_<MODULE_NAME>_searches = <any validly formatted search>

• Set a search to appear in your dashboard.
• Note: You must also use the *_labels attribute (below).

dashboard_customlist_<MODULE_NAME>_labels = <label your searches>

• Add a label to your searches.
• Note: You must use this attribute if you are using *_searches. If you don't want to label your searches, put this attribute in but leave the value blank.

Example

Here's more from the Twiki dashboard:

dashboard_customList_Twiki_saved_searches_searches = ['| admin mysavedsearches | where stanza LIKE 
"Twiki%" | rename stanza as name query as term | sort name']

dashboard_customList_Twiki_saved_searches_labels =

This displays all the results from this saved search on your dashboard. Splunk will split the rendering up into 2 and 3 columns past certain thresholds of search results.

Format searches

Searches you add to your dashboard must be validly formatted. First, you must know what metadata you are interested in pulling out of your events and displaying on the dashboard. Once you've determined the data you're interested in displaying, create a search that extracts this information. This means you must pipe your search through the following search commands to properly display your list of searches. For more information on search commands, see the User Manual search command reference.

Required fields

Include these commands (in the order listed) to properly display and link to your searches.

• termkey="<field_name>"
  • <field_name> is a literal string that becomes the field name in the search.
  • For example termkey="client_ip" becomes the search client_ip=* when you click on the link.
• term=<value>
  • <value> becomes the field value in the search.
  • For example term="host=foo" becomes the search host=foo when you click on the link.
• rename <field> as name
  • <field> is the field you want to display in the list.
  • For example rename source as name will list a source (such as /var/log/messages) on your dashboard.
• rename count as rowCount
  • Lets you display a count of search results next to the link.
  • Use count (or other stats command, such as topCount).
  • This is an optional setting, and is only useful if your search generates a count of events.
• Sort 15 + | - <field_name> lets you sort ascending or descending order and limit your search to 15 results.

Note: Due to hard-coded Splunk Web display limitations, you can only display 15 items. Your search must limit its outcome to 15. Use top or sort to display only 15 results.

Example

The following example is the default dashboard display of all indexed data. Note that each search is piped through termkey, term, name and count.

For more examples, see the custom dashboard page on the wiki.

dashboard_customList_All_indexed_data_searches = [

This part defines the search that extracts information about sources:

'| metadata type=sources | tags | rename tag::source as tags | eval termkey="source" | eval term=source | rename source AS name totalCount as 
rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort 15 -rowCount',

This part defines the search that extracts information about sourcetypes:

'| metadata type=sourcetypes | eval termkey="sourcetype" | eval term=sourcetype | rename sourcetype AS name totalCount as rowCount | fields 
name,term,termkey,rowCount,fullCount,tags | sort 15 -rowCount',

This part defines the search that extracts information about hosts:

'| metadata type=hosts | tags | rename tag::host as tags | eval termkey="host" | eval term=host | rename host AS name totalCount AS rowCount | 
fields name,term,termkey,rowCount,fullCount,tags | sort 15 -rowCount'] 

This part sets up labels for each list of links to search results:

dashboard_customList_All_indexed_data_labels = Sources, Sourcetypes, Hosts

This displays in Splunk Web as:

Add html modules

Add a module with your own html.

To add an html module to your dashboard, use the following attribute/value pairs:

dashboard_customlist_<MODULE_NAME>_text = <html>

dashboard_customlist_<MODULE_NAME>_text = <html>

• Any valid html/text.
• Use the *_text attribute instead of *_searches and *_labels.
• IMPORTANT: Each line of html/text must end with a \ to mark a newline (no spaces, or other characters).

Example

Link dashboard to user

Dashboards can be linked to specific users. This means the configured dashboard shows up in the drop-down dashboard selector in Splunk Web only for the specified user. You can also omit this setting to make the dashboard accessible to any Splunk user.

Set the following attribute/value pairs in $SPLUNK_HOME/etc/system/local/prefs.conf (or your own custom application directory):

[user:<USER>]
dashboardset_<name> = <comma separated list of saved searches and/or modules>
dashboard_activeset = <name>

[user:<USER>]

• Optional.
• Set which user this dashboard is for.
• Any valid user in Splunk.
• This dashboard only appears in the drop-down for the specified user.
• Note: If you want your dashboard to be accessible to any user, omit this line.

dashboardset_<name> = <comma separated list of saved searches and/or modules>

• Add saved searches or custom list modules to your dashboard.
• Saved searches can be reports -- in this case, they appear as charts/graphs (as specified in the saved search).
• Custom list modules are defined via dashboard_customList and its dependent attributes (see above).

dashboard_activeset = <name>

• Name your dashboard. The name appears in the dashboard drop-down in Splunk Web.
• Note: You can lock a specific dashboard to a role via web.conf.

Example

This example limits the Twiki dashboard to the user penelope. It also sets a name for the dashboard as "Twiki."

[user:penelope]
dashboardset_twiki = TwikiIntro,Twiki saved searches,Twiki activity last 24 hours,Twiki activity last 7 days,Users editing in the last 24 hours,Pages edited in the last 24 hours
dashboard_activeset = Twiki

Lock dashboards for roles

You can configure web.conf to prevent users from creating and saving new dashboards

In $SPLUNK_HOME/etc/system/local/web.conf add the following:

disablePersistedPrefs = <role>

• Specify a role.
• Users in the specified role can still make changes to Splunk Web through the preferences configuration page, but their changes will not be persisted across sessions.