Let's Talk about your First Time.... Building a Splunk Dashboard

Let’s Talk about your First Time…. Building a Splunk Dashboard

As Splunk consultants, it’s common to come across customers who have a Splunk license and are ingesting data, but have yet to learn or have taken the time to develop their own Splunk dashboards.  Most of us (and our manager’s manager) would agree that one of the nicest things about Splunk is its ability to translate the data in our environment into something that is meaningful, and visual.

If you’re new to Splunk and are simply utilizing the Splunk search bar, and are relying on the saved searches that a professional services consultant left for you, then you’re not using the basic functionality of Splunk to its fullest extent.  Not only do dashboards bring meaning to your data in a way that is useful in troubleshooting and translating concepts to others, but they can be fun to build.

We’ll skip the discussion regarding ‘what are we going to search for in a dashboard?’ — that question in itself could become a blog post.  In this post, we’ll work through the basic mechanics of getting up and running with a dashboard.

 

Let’s Get Started!

Step One: Create The Dashboard

  • From the search app, choose “Dashboards”
  • Select “Create New Dashboard”
  • In the next dialogue, give your dashboard a Title and Description.
  • Keep the permissions set to ‘Private’, and click “Create Dashboard

Step Two: Add inputs

You will now be shown a blank dashboard.  I recommend starting with two inputs: date & time.

  • Dropdown the “+Add Input” 
  • Select to add both a “Time” and a “Submit” input control

  • Choose to edit the Time control by clicking on the pencil icon.
  • For this example, make the entries as shown below.

  • Label: “Time Frame” (Label is the text that will be shown above the control)
  • Token: “inputTime” by convention

(I usually name all of my tokens from input controls with the prefix of ‘input’.  As dashboards grow, using a standard naming scheme can be helpful.)

  • Search on Change: Optional 
  • Default: “Last 4 hours”

Step Three: Add a panel (or visualization) in order to display the results of the Query

  • Choose the “+Add Panel” dropdown, this will open a new dialogue
  • Choose “New” and select “Line chart”

Step Four: You will now be shown a dialogue asking for specific attributes for our line chart.

  • Within the dialogue, enter the Search String, index=_internal |timechart count 
  • Give the Panel a title: “Events over Time”
  • Choose the Time Range: Drop down the menu
  • Choose the TimeRange picker that we created in Step 2.
  • This should be called “Shared Time Picker (inputTime)”

  • Click “Add to Dashboard”

Step Five: Once you are returned to the dashboard, save your work by clicking “Save” in the upper right corner.  

  • You should now see a one panel dashboard such as below.
  • Try changing the time by dropping down the time frame and choosing 24 hours.
  • The chart should change immediately.  If not, go ahead and click “Submit”

Congratulations on your first dashboard! 

Try adding additional searches to the same dashboard.  This can be done by repeating steps 3-6 as shown above.  By utilizing the same Shared Time input, all of the searches will align within the same time window.

As you practice, try to get creative with your choices of visualizations and take time to ensure that your visualizations actually make sense for the type of data you’re trying to convey.

Check out part two of this blog, ” Key Things to Consider when Creating a Dashboard”

About Aditum

Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk.

Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.

Contact us directly to learn more.