![country flag](/images/countries/us.png)
![country flag](/images/countries/gb.png)
![country flag](/images/countries/india.png)
![country flag](/images/countries/germany.png)
![country flag](/images/countries/france.png)
![country flag](/images/countries/canada.png)
![country flag](/images/countries/russia.png)
![country flag](/images/countries/spain.png)
![country flag](/images/countries/brazil.png)
![country flag](/images/countries/australia.png)
![country flag](/images/countries/singapore.png)
![country flag](/images/countries/hungary.png)
![country flag](/images/countries/ukraine.png)
![country flag](/images/countries/lux.png)
![country flag](/images/countries/estonia.png)
![country flag](/images/countries/lithuania.png)
![country flag](/images/countries/southkorea.png)
![country flag](/images/countries/turkey.png)
![country flag](/images/countries/switzerland.png)
![country flag](/images/countries/colombia.png)
![country flag](/images/countries/taiwan.png)
![country flag](/images/countries/chile.png)
![country flag](/images/countries/norway.png)
![country flag](/images/countries/ecuador.png)
![country flag](/images/countries/indonesia.png)
![country flag](/images/countries/newzealand.png)
![country flag](/images/countries/cyprus.png)
![country flag](/images/countries/denmark.png)
![country flag](/images/countries/finland.png)
![country flag](/images/countries/poland.png)
![country flag](/images/countries/malta.png)
![country flag](/images/countries/czech.png)
![country flag](/images/countries/austria.png)
![country flag](/images/countries/sweden.png)
![country flag](/images/countries/italy.png)
![country flag](/images/countries/egypt.png)
![country flag](/images/countries/belgium.png)
![country flag](/images/countries/portugal.png)
![country flag](/images/countries/slovenia.png)
![country flag](/images/countries/ireland.png)
![country flag](/images/countries/romania.png)
![country flag](/images/countries/greece.png)
![country flag](/images/countries/argentina.png)
![country flag](/images/countries/netherlands.png)
![country flag](https://cdn.packtpub.com/flag/004da5c4-583f-4e69-a0a8-0e999f350f90_128px-Flag_of_Bulgaria.png)
![country flag](/images/countries/latvia.png)
![country flag](/images/countries/southafrica.png)
![country flag](/images/countries/malaysia.png)
![country flag](/images/countries/japan.png)
![country flag](/images/countries/slovakia.png)
![country flag](/images/countries/philippines.png)
![country flag](/images/countries/mexico.png)
![country flag](/images/countries/thailand.png)
Splunk is easy to use for developing a powerful analytical dashboard with multiple panels. A dashboard with too many panels, however, will require scrolling down the page and can cause the viewer to miss crucial information. An effective dashboard should generally meet the following conditions:
In this tutorial, we learn to create different types of dashboards using Splunk. We will also discuss how to gather business requirements for your dashboards.
There are three kinds of dashboards typically created with Splunk:
Dynamic form-based dashboards allow Splunk users to modify the dashboard data without leaving the page. This is accomplished by adding data-driven input fields (such as time, radio button, textbox, checkbox, dropdown, and so on) to the dashboard. Updating these inputs changes the data based on the selections. Dynamic form-based dashboards have existed in traditional business intelligence tools for decades now, so users who frequently use them will be familiar with changing prompt values on the fly to update the dashboard data.
Real-time dashboards are often kept on a big panel screen for constant viewing, simply because they are so useful. You see these dashboards in data centers, network operations centers (NOCs), or security operations centers (SOCs) with constant format and data changing in real time. The dashboard will also have indicators and alerts for operators to easily identify and act on a problem. Dashboards like this typically show the current state of security, network, or business systems, using indicators for web performance and traffic, revenue flow, login failures, and other important measures.
Dashboards as scheduled reports may not be exposed for viewing; however, the dashboard view will generally be saved as a PDF file and sent to email recipients at scheduled times. This format is ideal when you need to send information updates to multiple recipients at regular intervals, and don't want to force them to log in to Splunk to capture the information themselves.
We will create the first two types of dashboards, and you will learn how to use the Splunk dashboard editor to develop advanced visualizations along the way.
As a Splunk administrator, one of the most important responsibilities is to be responsible for the data. As a custodian of data, a Splunk admin has significant influence over how to interpret and present information to users. It is common for the administrator to create the first few dashboards. A more mature implementation, however, requires collaboration to create an output that is beneficial to a variety of user requirements and may be completed by a Splunk development resource with limited administrative rights.
Make it a habit to consistently request users input regarding the Splunk delivered dashboards and reports and what makes them useful. Sit down with day-to-day users and layout, on a drawing board, for example, the business process flows or system diagrams to understand how the underlying processes and systems you're trying to measure really work. Look for key phrases like these, which signify what data is most important to the business:
Splunk dashboard users may come from many areas of the business. You want to talk to all the different users, no matter where they are on the organizational chart. When you make friends with the architects, developers, business analysts, and management, you will end up building dashboards that benefit the organization, not just individuals. With an initial dashboard version, ask for users thoughts as you observe them using it in their work and ask what can be improved upon, added, or changed.
We hope that at this point, you realize the importance of dashboards and are ready to get started creating some, as we will do in the following sections.
In this section, we will create a dynamic form-based dashboard in our Destinations app to allow users to change input values and rerun the dashboard, presenting updated data. Here is a screenshot of the final output of this dynamic form-based dashboard:
Let's begin by creating the dashboard itself and then generate the panels:
SPL> index=main status_type="*" http_uri="*" server_ip="*" | top status_type, status_description, http_uri, server_ip
We will go to the after all the panel searches have been generated. Let's go ahead and create the second panel:
SPL> index=main status_type="*" http_uri=* server_ip=* | top status_type
Now, we'll move on to create the third panel:
SPL> index=main status_type="*" http_uri=* server_ip=* | timechart count by http_status_code
Now, on to the final panel. Run the following search command:
SPL> index=main status_type="*" http_uri=* server_ip=* | timechart count, avg(http_response_time) as response_time
Save this dashboard panel as Hits vs Response Time:
We'll move on to look at the dashboard we've created and make a few changes:
Look at the following screenshot. The dashboard framework you've created should now look much like this.
The dashboard probably looks a little plainer than you expected it to. But don't worry; we will improve the dashboard visuals one panel at a time:
In this section, we will learn how to alter the look of our panels and create visualizations.
Go to the edit dashboard mode by clicking on the Edit button.
Each dashboard panel will have three setting options to work with: edit search, select visualization, and visualization format options. They are represented by three drop-down icons:
The Edit Search window allows you to modify the search string, change the time modifier for the search, add auto-refresh and progress bar options, as well as convert the panel into a report:
The Select Visualization dropdown allows you to change the type of visualization to use for the panel, as shown in the following screenshot:
Finally, the Visualization Options dropdown will give you the ability to fine-tune your visualization. These options will change depending on the visualization you select. For a normal statistics table, this is how it will look:
Go ahead and change the Status Distribution visualization panel to a pie chart. You do this by selecting the Select Visualization icon and selecting the Pie icon. Once done, the panel will look like the following screenshot:
We will change the view of the Status Types Over Time panel to an area chart. However, by default, area charts will not be stacked. We will update this through adjusting the visualization options:
Here is the new stacked area chart panel:
When representing two or more kinds of data with different ranges, using a combination chart—in this case combining a column and a line—can tell a bigger story than one metric and scale alone. We'll use the Hits vs Response Time panel to explore the combination charting options:
The new panel will now look similar to the following screenshot. From this and the prior screenshot, you can see there was clearly an outage in the overnight hours:
The dashboard has now come to life. This is how it should look now:
To summarize we saw how to create different types of dashboards.
To know more about core Splunk functionalities to transform machine data into powerful insights, check out this book Splunk 7 Essentials, Third Edition.