https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709956#M58048 <BLOCKQUOTE><HR />Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well.<HR /></BLOCKQUOTE><P>These are questions only your stakeholders can answer.&nbsp; If the proposed panels answer the questions they have or solve their problems then modifications may not be necessary.</P> Tue, 28 Jan 2025 13:04:14 GMT richgalloway 2025-01-28T13:04:14Z https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709933#M58047 <P>Hello all,</P><P>I have an ask to create a sample dashboard with the data present. Hence I have created following panels with dropdowns available:</P><OL><LI><H5>Total Traffic vs Attack Traffic -&nbsp; | stats count as "Total Traffic" count(eval(isnotnull(attack_type))) as "Attack Traffic".</H5></LI><LI>Top 10 Hostnames / FQDN Targeted -&nbsp;|stats count by fqdn</LI><LI>No of Error logs -&nbsp;|search severity = Error |stats count</LI><LI>No of Critical logs -&nbsp;|search severity = Critical |stats count</LI><LI>Attack Classification by % - (Num of Attacks) -&nbsp;|top limit=10 attack_type</LI><LI>Top 10 IP Addresses -&nbsp;| top ip_client limit=10</LI><LI>Daily Attack Trend -&nbsp;|timechart count(attack_type) as count span=1d</LI><LI>Weekly Attack Trend -&nbsp;|timechart count(attack_type) as count span=1w</LI><LI>Status Codes Trend -&nbsp;|stats count by response_code</LI><LI>HTTP Method Used -&nbsp;|stats count by method</LI><LI>Log Details -&nbsp;|table _time, ip_client, method, policy_name, response_code, support_id, severity, violations, sub_violations, violation_rating, uri</LI></OL><P>All searches followed by base search.</P><P>Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well.</P> Tue, 28 Jan 2025 10:34:38 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709933#M58047 splunklearner 2025-01-28T10:34:38Z https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709956#M58048 <BLOCKQUOTE><HR />Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well.<HR /></BLOCKQUOTE><P>These are questions only your stakeholders can answer.&nbsp; If the proposed panels answer the questions they have or solve their problems then modifications may not be necessary.</P> Tue, 28 Jan 2025 13:04:14 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709956#M58048 richgalloway 2025-01-28T13:04:14Z https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709960#M58049 <P>The main question is what the dashboard is supposed to be for.</P><P>Are you solving some problem from within your organization? In such case - as <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> pointed out - you should have requirements for this dashboard.</P><P>Are you preparing a PoC/PoV as a partner? Consult partner portal resources for existing demo resources.</P><P>Are you looking to expand existing Splunk infrastructure within your company to different divisions and use cases? Consult potential stakeholders and check what would be their expectations on the product and try to make something targeting their needs.</P><P>The general answer is "depends on what you have and what you need".</P> Tue, 28 Jan 2025 13:22:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709960#M58049 PickleRick 2025-01-28T13:22:25Z https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709981#M58050 <P>Actually it is a new project and creating sample dashboards for application teams. Just want to check any use cases I can get related to my fields given above...</P> Tue, 28 Jan 2025 15:26:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/709981#M58050 splunklearner 2025-01-28T15:26:08Z https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/710051#M58055 <P>To go slightly tangential to your post, you refer to base searches. Note that a base search that does NOT do aggregation is a bad use of a base search, so if you are just doing</P><LI-CODE lang="markup">index=xxx | fields *</LI-CODE><P>in your base search and not doing a transforming command, that is not a good example to be showing in an example dashboard. It will often perform worse than one using a transforming command, but also has significant limitations in that it can only hold a limited set of results.</P><P>See this</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/Savedsearches#Post-process_searches_2" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/Savedsearches#Post-process_searches_2</A></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Jan 2025 23:17:01 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/710051#M58055 bowesmana 2025-01-28T23:17:01Z https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/710102#M58077 <P>It is the same answer as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;already gave - check with your stakeholders as to what they want. There is little point building a dashboard that nobody is going to use! Start small with just one or two panels and see if they find it useful and ask them how it might be changed and what else they might want to see.</P> Wed, 29 Jan 2025 09:23:01 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/710102#M58077 ITWhisperer 2025-01-29T09:23:01Z https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/759458#M59405 <P>for failed auth monitoring i usually start with three panels: failed logins by hour (timechart), top source IPs (stats count by src_ip), and top targeted users (stats count by user). if you're using CIM normalized fields its pretty straightforward. layout wise i do the timechart full width on top, then the two tables side by side below it</P> Thu, 19 Mar 2026 23:12:31 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sample-Dashboard-ideas/m-p/759458#M59405 maroond 2026-03-19T23:12:31Z