Forums: SplunkGeneral: Configuring Dashboards

I'm trying to create a different dashboard to the default. I understand that you can create saved searches and then simply add them to the dashboard but I'm looking at the module called:
All indexed data that is configured in prefs.conf:

The following line seems to configure most of what appears in that module/pane:

dashboard_customList_All_indexed_data_searches = ['| metadata type=sources count=15 order=total | eval termkey="source" | eval term=source | rename source AS name totalCount as rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort rowCount d','| metadata type=sourcetypes count=15 order=total | eval termkey="sourcetype" | eval term=sourcetype | rename sourcetype AS name totalCount as rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort rowCount d','| metadata type=hosts count=15 order=total | eval termkey="host" | eval term=host | rename host AS name totalCount AS rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort rowCount d']

What I don't get however is how this list of files is actually configured. The value of dashboard_customList_All_indexed_data_searches doesn't appear to be an actual search request so I wouldn't know where to start to change it...

Basically, I would like to create a dashboard for a group of users so they only see THEIR data. I understand the functionality of granular access control but this dashboard is more for presentation purposes than confidentiality: I want users to see a list of files from their area and that's it.

Any suggestions?

First suggestion would to take a look at Nick's Twiki bundle and spy on the configuration files there.

Those are searches that calculate "all indexed data". Those are searches against our host, source, and sourcetype metadata files. In version 3.2, these searches will be changed a hair because metadata will no longer become a reserved word and will follow a pipe ( | ).

Can you give me more details or examples on the goal you are trying to accomplish? How can Splunk determine what data belongs to a group of your users?

I would like to be able to restrict the list of hosts or possibly sources that a role will see, when a user logs in.

I'm not asking about confidentiality features by using granular access control and making sure a user can't search the events from a certain file or a certain source. I simply want the end-user to only see the list of files that concern them, as opposed to seeing a list of the top 10 or so files in terms of number of events, out of ALL the data indexed on the box or boxes.

I would like to be able to restrict the list of hosts or possibly sources that a role will see, when a user logs in.

I'm not asking about confidentiality features by using granular access control and making sure a user can't search the events from a certain file or a certain source. I simply want the end-user to only see the list of files that concern them, as opposed to seeing a list of the top 10 or so files in terms of number of events, out of ALL the data indexed on the box or boxes.

I would like to be able to restrict the list of hosts or possibly sources that a role will see, when a user logs in.

I'm not asking about confidentiality features by using granular access control and making sure a user can't search the events from a certain file or a certain source. I simply want the end-user to only see the list of files that concern them, as opposed to seeing a list of the top 10 or so files in terms of number of events, out of ALL the data indexed on the box or boxes.

I kind of understand the configuration of the dashboards in prefs.conf

Each dashboard is defined as dashboardset_<dashboard name> in prefs.conf and is equal to the list of "modules" (could call them panes) that make up the dashboard.
For example we have the default dashboard:
dashboardset_default = Errors in the last 24 hours,All indexed data,Saved searches

There's a list of modules that are custom modules:

1. Custom dashboard modules. Currently only for All-Indexed-Data and Saved-Searches modules.

dashboard_customList = All indexed data,Saved searches,Register with Splunk,Watch a video,Index some data,Download SplunkBase add-ons,Get help,Tell us what you think so far

Each of these modules/panes are defined as follows with a searches and a labels parameter:
dashboard_customList_All_indexed_data_searches = ['metadata type=sources count=15 order=total | eval termkey="source" | eval term=source | rename source AS name totalCount as rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort rowCount d','metadata type=sourcetypes count=15 order=total | eval termkey="sourcetype" | eval term=sourcetype | rename sourcetype AS name totalCount as rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort rowCount d','metadata type=hosts count=15 order=total | eval termkey="host" | eval term=host | rename host AS name totalCount AS rowCount | fields name,term,termkey,rowCount,fullCount,tags | sort rowCount d']
dashboard_customList_All_indexed_data_labels = Sources,Sourcetypes, Hosts

What I'm not totally comfortable with is the format of these "searches", what they mean and how to tweak them... I'm assuming this is a bit like SQL but simply the fieldnames that are used are not totally clear.

I'm comfortable adding a ' | where source = "whatever" ' clause but there are quite a lot of other things I wouldn't mind doing, such as giving the source a different name so it's more user-friendly instead of a complex path...