DASHBOARDS QUICK REFERENCE GUIDE

Introduction Data format requirements vary by visualization

type. When you create a visualization, you
Trellis layout

You can use Splunk platform visualizations use search commands to generate results in
to organize and communicate data insights. a particular data format. This format should
Visualizations and dashboards let you help provide the fields or values that you want the
users monitor or learn about important metrics visualization to represent.
and trends. You can use Simple XML or the
For example, a single value visualization
dashboard editor to build dashboards and add
shows a single metric. You can use “…| stats
interactive behavior. Available in Splunk Enterprise and Splunk
count” to generate an aggregated count field
that the single value represents. Cloud versions 6.6.x and later.

Visualization Concepts When you hover over visualizations in the You can apply trellis layout to split search
Visualization Picker, search syntax and results on a field or aggregation so that a
Getting Started visualization renders in several segments. Each
commands are suggested to help you generate
results in the correct data format. segment represents a value in the split field.
You can create visualizations from the Search
page or when you are building a dashboard.
Format visualizations Custom visualizations developer API
Search
When creating or updating visualizations, Available in Splunk Enterprise and Splunk
Run a search to generate results that you want Cloud versions 6.5.x and later.
you can use the Format menu to configure
to visualize. Use Splunk Search Processing
visualization components. Some use cases might require a customized
Language (SPL) commands to generate results
for the visualization type that you are building. To customize visualizations in dashboards, you visualization. The Splunk Custom Visualizations
can also use Simple XML source code. developer API lets you create custom
After generating search results, click the visualization apps to use and share.
Visualizations tab to select a visualization type Depending on the visualization type, different
and format the visualization. format options are available. For example, you Visualization search examples
can configure axis label positioning in a bar or
Dashboard The following examples represent one possible
column chart. You can specify different map
You can create visualizations when you are tiles to change the background of a Choropleth use case and search for each visualization type.
building or editing a dashboard. Use the map. You can also configure ranges and colors There are many additional search and use case
dashboard editor to add new visualizations or for a single value visualization. options for visualizations.
reuse prebuilt content.
Bar or column chart
Publish visualizations
Visualization types … | stats count by
You can save a visualization as a dashboard product
There are several visualization options panel or as a report. Compare sales totals
available in the Splunk platform. You can use by product.
the Visualization Picker interface to select Schedule reports to generate search results at
a visualization type. You can also indicate a a specific time interval. You can opt to include Table
visualization type when building dashboards in a visualization with them.
Simple XML. … | stats count by
You can also save a visualization as a product, category
dashboard panel. Add it to an existing Show sales metric for
Visualization options include:
products and their
dashboard or use it to begin building a new
• Event lists product categories.
dashboard. You can create and add more
• Column, bar, area, and line charts visualizations to a dashboard or edit the Area or line chart
• Pie charts dashboard to add and configure content.
… | timechart
• Scatter and bubble charts Additional visualization options count by product
Show sales trends for
• Single value visualizations and gauges
Custom visualizations different products.
• Tables
Available in Splunk Enterprise and Splunk Pie chart
• Maps
Cloud versions 6.5.x and later.
• Custom visualizations … | stats count by
To expand the visualization options in your
Show how a daily category
Choose a visualization type that fits your use Splunk deployment, you can download
sales total comprises
case and your data. For example, if you are custom visualization apps from Splunkbase. different product
comparing sales totals for different product Installed custom visualizations appear in the categories.
types over a time period, you can use a bar or Visualization Picker.
column chart. To show trends in product sales Scatter or bubble chart
over a time period, you can use a line chart.
… | stats count by
Search and data formatting Show earthquake place, mag, depth
event counts by
Data formatting means search result
magnitude, depth, and
aggregations, data series grouping, or the location.
result fields that a search must generate for a
visualization to render.
 DASHBOARDS QUICK REFERENCE GUIDE

Single value Form Permissions

…product=“video _ When you add inputs to a dashboard, it becomes Dashboards
game” a form. Its root element in Simple XML changes Dashboards are knowledge objects with access
Show a current sales | timechart count to <form>.
metric for a retail and editing permissions. Your user role and
product. Forms and dashboards are similar in most ways. capabilities determine your options for creating,
However, forms contain fieldsets to organize sharing, and administering dashboards.
source=my _ data.
csv inputs for user interaction. If you have the admin role and its default
Choropleth map |lookup geo _ us _ capabilities, you can configure dashboard
states longitude Form Input visibility in different apps in your deployment.
as Longitude, You can also set read and write permissions
latitude as You can add inputs to a form to capture user
selections or typed text and trigger responsive associated with specific roles.
Show sales totals Latitude
for each state in the behavior. Inputs are grouped inside a <fieldset> Saved searches in dashboards
| stats count by
United States. featureId element in a form.
Saved searches in a dashboard are knowledge
| geom geo _ us _ Available input types include radio buttons, objects with independent permissions. A saved
states selection lists, text fields, and time range pickers. search can run with the permissions of the user
Cluster map Selection inputs can have static choice values who created it or the user who is viewing its
index=main mag>3 and labels. You can also use a search to generate results, including in a visualization.
| geostats input choices dynamically.
latfield=latitude Depending on saved search permissions in your
Show earthquake longfield=longitude Inputs use tokens to represent user selection dashboards, some users might see visualizations
counts by location on count or typed values. You can use input tokens to that represent a more limited result set. Your user
a world map. pass the user-provided value to visualizations role and capabilities determine your options for
or other elements in the dashboard and trigger adjusting permissions to manage your dashboard
responsive actions. For example, you can use an user experience.
Dashboard Concepts input token in a search to generate a visualization

Dashboard
representing the value that a user selected.
Building Interactive
A dashboard is a group of visualizations
Row Dashboards
and contextual content, such as titles and A dashboard uses rows to organize one or more Drilldown
descriptions, that present information in a panels horizontally.
visual format. Dashboards use layout elements Drilldown is a tool for creating dashboard
to structure their content. Panels interactivity. You can add drilldown to a
dashboard visualization to share additional
Dashboard Editor A dashboard row contains one or more panels. data insights with users when they click on it.
Each panel has a visualization or HTML Use the drilldown editor (Splunk Enterprise
Use the dashboard editor to create and edit element. Panel visualizations use a search to and Splunk Cloud versions 6.6.x and later) and
dashboards in Splunk Web. The editor gives you generate the results that they render. You can Simple XML to add and configure drilldown in
access to an editing user interface (UI) and to use different types of searches to drive panel your dashboards.
a Simple XML source code editor. You can use visualization content.
the editing UI or the source code editor to build Drilldown actions
dashboard components, change layout, and Panels have titles and descriptions that you can
configure in the dashboard editor or Simple XML. Drilldown can trigger different interactive
implement interactive behavior.
responses to a user click. You can configure
You can configure most dashboard functionality You can configure some dashboard interactivity drilldown to open a secondary search,
in either the editing UI or in Simple XML. Some at the panel level, including listening to token another dashboard, or an external URL in the
advanced configurations, such as conditional values to toggle panel display. You can also browser. You can also use drilldown to trigger
drilldown, are only available in Simple XML. use token values to populate panel titles with contextual changes in the same dashboard.
dynamic values.
You can use tokens to customize content in a
Simple XML You can save panel content as a prebuilt panel to drilldown target. Use tokens to capture and
Simple XML is source code that you can use to reuse in multiple dashboards. pass values to a drilldown target, such as
structure and customize dashboards. Simple a search string or a URL, and customize its
XML is made up of parent and child elements. Panel Searches content. You can also use tokens to trigger
Elements can have configuration attributes. interactive content display, such as showing or
Searches provide the data that visualizations hiding a panel or updating a visualization title.
Additionally, visualization elements use <option>
represent in dashboards.
child elements for formatting and behavior
configuration. You can use different types of searches to
generate dashboard content.
Most configurations that you make in Simple
XML can also be made in the dashboard editing • Inline search strings directly in a panel
UI. Some customizations are only available in
• Saved searches that you reference in a panel
Simple XML, however. For example, conditional
drilldown behavior or configuring responsive • Searches in prebuilt panels that you reuse
display changes require Simple XML. Use the • Global base searches whose results you
dashboard source code editor to make these use with post-process searches to generate
customizations. different results in various panels
• Searches generated with Pivot
 DASHBOARDS QUICK REFERENCE GUIDE

Some tokens are predefined in Splunk software. You can also create
Tokens custom tokens to represent additional values or to control dashboard
Tokens are like programming variables. They represent data that changes, behavior.
such as a search result field, a user selection in an input, a user click for
drilldown, a search result field value, or a flag that you set to trigger Token syntax requires dollar signs or quotation marks around a token
interactive behavior. As with programming variables, you can use tokens to name. For example, $click.value$ references a clicked field value in a
capture dynamic values and to access them. visualization where drilldown is enabled. Check Splunk documentation
for more details on syntax, including special character escaping.

Predefined tokens for drilldown

Predefined token Table Chart Single value Map
X-axis field or category
$click.name$ Leftmost field (column) name in Name of field that Field name for the
name for the clicked
the table. single value represents clicked location
location
X-axis field or category
$click.value$ Leftmost field (column) value in Field value that the Field value for the
value for the clicked
the clicked table row. single value represents clicked location
location
Y-axis field or category
$click.name2$ Same as Same as
Clicked table cell field name. value for the clicked
$click.name$ $click.name$
location
Y-axis field or category
$click.value2$ Same as Same as
Clicked table cell value. value for the clicked
$click.value$ $click.value$
location
Access any field (column) value Access any y-axis field
from the clicked table row. Access field values
value corresponding Access any field value
related to the clicked
$row.<fieldname>$ For example, to get the to the clicked location from the Statistics
location. Check the
sourcetype field value in the x-axis. Not available table row for the single
Statistics tab for
clicked row, use if the user clicks the value.
available fields.
$row.sourcetype$ chart legend.

Drilldown examples
LINK TO A SEARCH

Goal: Open a secondary search in the browser when a user clicks on a visualization. Show search results related to the clicked value.

Scenario: A table shows customer actions on a retail website. When a user clicks on a table cell, show search results filtered for the clicked value.

How to set up the drilldown:

• Define the <drilldown> behavior using the <link> element.
• Include the <target=”_blank”> attribute to open the search in a new browser tab.
• Use the predefined $click.value2$ token to populate the search with the clicked action field value.
• Wrap the search in <![CDATA[]]> tags to escape special characters in the search string.

Simple XML source code:

<drilldown>
<link target=”_blank”>
<![CDATA[ search?q=source=”my_retail_data_source” action=$click.value2$
| stats count by productId&earliest=-24h@h&latest=now
]]>
</link>
</drilldown>
 DASHBOARDS QUICK REFERENCE GUIDE

LINK TO A DASHBOARD OR FORM

Goal: Open a target dashboard or form in the browser when a user clicks on a visualization. Show content customized to the clicked value and
contextual values from the source dashboard.

Scenario: A table shows top sourcetypes. When a user clicks a table row, open a form showing content customized to the clicked row’s sourcetype value.

How to set up the drilldown:

• Define the <drilldown> behavior using the <link> element.
• Include the <target=”_blank”> attribute to open the search in a new browser tab.
• Use the $row.<fieldname>$ predefined token to capture the sourcetype field value from the clicked row.
• Pass the clicked value to the form by setting the $form.sourcetype$ token value to the clicked value. When setting form tokens, prefix the token
name with form.<token_name>. No prefix is necessary for setting tokens in a target dashboard.
• Pass the earliest and latest time range settings from the source dashboard to the target form.
• Wrap the search in <![CDATA[]]> tags to escape special characters in the search string.

Simple XML source code:

<drilldown>
<link target=”_blank”>
<![CDATA[
/app/search/form_for_drilldown?
form.sourcetype=$row.sourcetype$&earliest=$earliest$&latest=$latest$
]]>
</link>
</drilldown>

LINK TO A URL

Goal: When a user clicks on a visualization, open a related website in the browser.

Scenario: A visualization shows failed website logins. Link to internal documentation when a user clicks on the visualization. Use conditions to specify linking to a
runbook for handling excessive failed logins if the failure count is more than 5,000. Otherwise, link to an overview page on failed logins.

How to set up the drilldown:

• Inside the single value <search>, use the <done> search event handler element to access a result count value when the search completes.
• In the <done> element, set a custom count token to the value of the predefined $result.count$ token. The $result.count$ value is only
available in the context of the <search> element. It cannot be accessed directly in a <drilldown>. Setting the count token lets you access this
value in the <drilldown> element.
• Define the <drilldown> behavior using the <link> element.
• Inside the drilldown, set up conditional behavior. Use the <condition match=” “> element to evaluate and respond to the $count$ value when
a user clicks on the visualization. In this scenario, a failed login count higher than 5,000 triggers the failed login runbook opening in the browser. A
lower count triggers an informational web page opening instead.
<single>
<search>
<query>source=”recent_login_events” type=failed_login | stats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token=”count”>$result.count$</set>
</done>
</search>
<drilldown>
<condition match=”$count$ > 5000”>
<link>
http://companydocs.com/high_failed_login_runbook
 DASHBOARDS QUICK REFERENCE GUIDE

</link>
</condition>
<condition match=”$count$ < 5000”>
<link>
http://companydocs.com/about_failed_logins
</link>
</condition>
</drilldown>
</single>

TRIGGER CONTEXTUAL CHANGES IN THE SAME DASHBOARD

Goal: When a user clicks on a visualization, show customized content in the same dashboard.

Scenario: A table visualization shows event counts by sourcetype and log level. When users click on a sourcetype value, the dashboard shows a single
value aggregating events for the selected sourcetype. When users click on a log level value, an events list for the clicked log level appears instead.

How to set up the drilldown:

• Put <condition> elements inside the <drilldown> to define the two conditional responses to user clicks.
• Use the field attribute in each <condition> to check whether the user clicked a value in the sourcetype or log_level column.
• Use <set> to capture the clicked sourcetype or log_level value using the $click.value2$ predefined token.
• Use additional <set> and <unset> elements to manage token values that control panel display.
• Use depends attributes in the panels to respond to token value changes from the <drilldown>. A depends attribute means that the panel displays
only when the specified token is set. Similarly, you can use a rejects attribute to indicate that a panel should not display if the specified token is set.
• Use the $selected_sourcetype$ and $selected_log_level$ tokens in the panel search strings to generate content relevant to the user’s
clicked value.
Simple XML source code:
<row>
<panel>
<table>
<title>Event counts by sourcetype and log level</title>
<search>
<query>index=_internal | stats count by sourcetype, log_level</query>
</search>
<drilldown>
<condition field=”sourcetype”>
<set token=”selected_sourcetype”>$click.value2$</set>
<set token=”show_single_value”>true</set>
<unset token=”show_event_list”></unset>
</condition>
<condition field=”log_level”>
<set token=”selected_log_level”>$click.value2$</set>
<set token=”show_event_list”>true</set>
<unset token=”show_single_value”></unset>
</condition>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends=”$show_single_value$”>
<title>Event count for $selected_sourcetype$</title>
<single>
 DASHBOARDS QUICK REFERENCE GUIDE

<search>
<query>index=_internal sourcetype=$selected_sourcetype$ | stats count</query>
</search>
[…]
</single>
</panel>
<panel depends=”$show_event_list$”>
<title>Last five events with log level $selected_log_level$</title>
<event>
<option name=”count”>5</option>
<search>
<query>index=_internal log_level=$selected_log_level$</query>
</search>
</event>
</panel>
</row>

Additional Resources Custom Visualization Apps

docs.splunk.com/Documentation/CustomViz
There are many additional resources to help you with creating
visualizations and dashboards.
Custom Visualization Developer API documentation

Splunk Documentation docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/

CustomVizDevOverview
docs.splunk.com

Splunk Dashboard Examples App

Dashboards and Visualizations
splunkbase.splunk.com/app/1603/
docs.splunk.com/Documentation/Splunk/latest/Viz

Topics include guidance on: Splunk Education courses

• Search and data formatting for visualizations splunk.com/view/education/SP-CAAAAH9
• Visualization configurations
• Using trellis layout Splunk Answers
• Building dashboards in the dashboard editor user interface answers.splunk.com
• Building dashboards in Simple XML
• Dashboard permissions Splunk user community on Slack
• Drilldown and dashboard interactivity splunk-usergroups.signup.team/
• Token usage in dashboards

Troubleshooting and reference topics:

• Chart display issues
• Searches power dashboards and forms
• Simple XML reference
• Event handler reference

splunk.com
docs.splunk.com

Splunk Inc.
270 Brannan Street
San Francisco, CA 94107

Copyright © 2017 Splunk Inc. All rights reserved. Splunk, Splunk>, Listen to Your Data, The Engine
for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks
of Splunk Inc. in the United States and other countries. All other brand names, product names, or
GDE-Splunk-QuickReferenceGuide-New-Dashboards-101
trademarks belong to their respective owners.

GDE-Splunk-QuickReferenceGuide-New-Dashboards-101