Your Splunk Workspace

What is a Workspace? In my mind, it’s a well defined area within which one can construct and create without impact to and by externalities.

Implemented in Splunk, it’s a user logging into Splunk, getting escorted to content for their domain, and not being distracted or impacted by the activities of others.

As you might have guessed, this concept IS implemented already in Splunk by means of visible “apps.” Unfortunately, many of us don’t embrace apps in this fashion – and for good reason! We often associate apps with the rich contributions available on Splunkbase and rarely consider the simplest of apps, as a Workspace for user groups.

Let’s change that today. Let’s reset how we think about apps and the entire Splunk UI experience, for that matter. For now on, let’s refer to any app visible in the UI as a Workspace. Seems too subtle to make a difference? Watch as it changes your entire perspective on the Splunk user experience.


Out-of-the-box, Splunk comes with the Launcher and the Search & Reporting WorkspacesSplunk Web. This is awesome, flexible, and customizable for our technical users, but probably not the most effective starting point for a Splunk n00b. Instead, let’s configure Splunk to provide a Web-App based experience such that users are sent right to their Workspaces and not distracted by other items deployed to the Splunk environment.

Screen Shot 2017-02-07 at 12.18.12 PMFirst thing’s first. We need an app to become a Workspace, so let’s create an app. To do this, navigate to the Manage Apps view (either by selecting the gear icon (if in Launcher) or the ‘Apps’ dropdown (if viewing an app) from the upper-left corner of Splunk Web.
Select the “Create app” button. If it’s grayed out then you either don’t have permissions or are using a Search Head Cluster – in either case, ask your Admin for help. On the resulting form, you should fill out the fields according to the user’s role for which you want to make the Workspace but make sure to leave the Template dropdown selected to ‘barebones’. Don’t worry – you can edit the app later if you change your mind. On the right is an example if for an Operations team.

Next, navigate to the associated role within Splunk Web and set the ‘Default app’ to the newly created one. If the team already has a commonly used dashboard, go ahead and set it as default in the navigation so users are presented with it instead of the basic search page. If no such dashboard exists, I recommend creating a “Welcome” page and using that. Don’t forget to move over other config that might have already been created in other locations.

Congratulations! You now have a working Workspace! Login as a user of that role and see how they get to skip the Launcher and are sent directly to their Workspace and default dashboard.

Less is More

Inevitably, users will grow curious and accidentally get lost after navigating into other Workspaces. To mitigate this, I suggest making the other Workspaces invisible, thereby limiting a user group (role) to only their Workspace and not messing with other team’s.

To do this, you need only edit and remove the read permissions for the unrelated groups of a given app. In other words, the Operations app will have read permissions for the Operations role but no other roles. The result is that no other group knows there is an Operations app, let alone accidentally start messing with their work.

Additionally, I recommend removing visibility of the Search & Reporting app. I know that might sound crazy but it eliminates yet another place users might stumble to without impacting functionality. To do so, select the “No” radio button for the Visible attribute of the Search & Reporting app. To validate all functionality still works, you can navigate to the ‘search’ endpoint of your Workspace and see how searching works as expected.

Screen Shot 2017-02-07 at 12.42.21 PMAs you remove permissions for other Workspaces, you’ll notice that the Splunk user experience is simplified. Selecting the ‘Apps’ drop down on the upper left has a lot less clutter and distractions. Just keep in mind the different approaches here: by removing permissions, a user could never know the app exists, whereas by making an app not visible, the app and it’s artifacts are still accessible, just hidden from direct navigation.

N00bs are Powerful

For those of you that are hesitant about this approach, just remember that your n00bs are not incompetent. In fact, I’d argue that they are the most important users of your environment because they get the most value relative to their effort since most of them consume insights from dashboards and other things already created.

Implementing a Workspace will make their experience more effective by sending them directly to what they need without distraction. It’s also worth noting that you should trust that over time, some of them will grow curious and dig deeper into Splunk thereby increasing their effectiveness and value from Splunk. As an admin, I was always impressed to uncover non-technical users that wrote their own searches by reverse engineering a panel they curiously clicked into.

The bottom line is the Workspace provides containment for work without limiting their the functionality of Splunk. A Workspace becomes a domain for a user group to create and share Splunk insights without the distraction and clutter from what are otherwise unrelated other groups.

If you’ve implemented this, then congratulations on your cleaner Splunk environment! Happy Splunking!

Posted by


Burch is what happens when you mix a passion for technology with a love for performing comedy. If you find a Burch in the wild, engage lovingly with discussions of Splunk Best Practices and your hardest SPL challenges.