Add panel to search home page dashboard

pdash · ‎01-25-2013

I want to add another panel to the splunk search page. Like a chart to show all indexes and their usage. How to add to this dashboard? It doesnot show up in existing dashboards.

DonD3 · ‎02-02-2014

Below is the XML for a different approach to solving this problem. The nice thing about doing it this way is that it is formatted in a similar fashion to the Sources, Source types and Hosts tables that already appear on the page. Enjoy! (This was done with Splunk 5.0.4.)

    <!-- The list of indexes-->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">| rest /services/data/indexes | fields title totalEventCount updated | rename title AS index, totalEventCount AS Count, updated AS "Last Update" | fieldformat "Last Update"=strftime(strptime('Last Update', "%Y-%m-%dT%T+%3N:%6N"), "%a %b %d %T %Y UTC") | fieldformat Count=tostring(Count, "commas") | eval index=mvfilter(match(index, "^[a-z]")) | where(index!="history") | where(index!="main") | where(index!="sos") | where(index!="sos_summary_daily") | where(index!="splunklogger") | where(index!="summary") | dedup index </param>
   <module name="SimpleResultsHeader">
      <param name="entityName">results</param>
      <param name="headerFormat">Indexes (%(count)s)</param>
      <module name="Paginator">
        <param name="entityName">results</param>
        <param name="maxPages">10</param>
        <module name="SimpleResultsTable">
          <param name="entityName">results</param>
          <param name="drilldown">row</param>
          <module name="HiddenSearch">
            <param name="search">*</param>
            <module name="ConvertToIntention">
              <param name="intention">
                <param name="name">addterm</param>
                <param name="arg">
                  <param name="index">$click.value$</param>
                </param>
              </param>
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>

chris · ‎01-25-2013

Hi I just had a go at creating the kind of dashboard you wanted to create. The interesting part is at the end. The search i used to get information about the indexes ist:

| rest /services/data/indexes count=0  | chart sum(currentDBSizeMB) by title

You might have to use the splunk_server option if you have a distributed environment and only want to list indexes on specific splunk servers:

| rest /services/data/indexes count=0  splunk_server=myserver | chart sum(currentDBSizeMB) by title



<view stylesheet="dashboard2.css" template="dashboard.html">
  <label>Summary</label>

  <module name="AccountBar" layoutPanel="appHeader" />

  <module name="AppBar" layoutPanel="navigationHeader" />

  <module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
  </module>

  <module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="SearchBar" layoutPanel="splSearchControls-inline">
<param name="useAssistant">true</param>
<param name="useTypeahead">true</param>
<param name="useOwnSubmitButton">False</param>

<module name="TimeRangePicker">
  <param name="selected">All time</param>
  <param name="searchWhenChanged">False</param>

  <module name="SubmitButton">
    <param name="allowSoftSubmit">True</param>

    <module name="ViewRedirector" layoutPanel="viewHeader">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>
  </module>
  <!--
indexed data panels
-->
  <!-- The first list of sources -->

  <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="true">
<param name="search">| metadata type=sources | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update" | table source Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Sources (%(count)s)</param>
  <!-- SPL-42701.  Add back in later.






<module name="PostProcessFilter">
<param name="prefixSearch">eval _raw=source</param>
-->

  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="maxPages">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="drilldown">row</param>

      <module name="HiddenSearch">
    <param name="search">*</param>

    <module name="ConvertToIntention">
      <param name="intention">
        <param name="name">addterm</param>
        <param name="arg">
          <param name="source">$click.value$</param>
        </param>
      </param>

      <module name="ViewRedirector">
        <param name="viewTarget">flashtimeline</param>
        <param name="uriParam.auto_pause">true</param>
      </module>
    </module>
      </module>
    </module>
    <!--
SPL-42701.  Add back in later.
</module>
-->
  </module>
</module>
  </module>

  <module name="StaticContentSample" layoutPanel="panel_row1_col1" group="All indexed data">
<param name="text">This lists all of the data you have loaded into your default indexes. &lt;a href="/manager/search/adddata"&gt; Add more data&lt;/a&gt;.</param>
<param name="groupLabel">All indexed data</param>
  </module>
  <!-- The list of sourcetypes AND the top panel -->

  <module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">
<param name="search">| metadata type=sourcetypes | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update"</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats sum(Count)</param>

  <module name="SingleValue">
    <param name="beforeLabel">Events indexed</param>
    <param name="format">number</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats min(firstTime) as min | eval min=strftime(min,"%c")</param>

  <module name="SingleValue">
    <param name="beforeLabel">Earliest event</param>
    <param name="format">string</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats max(lastTime) as max | eval max=strftime(max,"%c")</param>

  <module name="SingleValue">
    <param name="beforeLabel">Latest event</param>
    <param name="format">string</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row3_col1">
  <param name="search">table sourcetype Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>

  <module name="SimpleResultsHeader">
    <param name="entityName">results</param>
    <param name="headerFormat">Source types (%(count)s)</param>

    <module name="Paginator">
      <param name="entityName">results</param>
      <param name="maxPages">10</param>

      <module name="SimpleResultsTable">
    <param name="entityName">results</param>
    <param name="drilldown">row</param>

    <module name="HiddenSearch">
      <param name="search">*</param>

      <module name="ConvertToIntention">
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
        <param name="sourcetype">$click.value$</param>
          </param>
        </param>

        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
          <param name="uriParam.auto_pause">true</param>
        </module>
      </module>
    </module>
      </module>
    </module>
  </module>
</module>
  </module>
  <!-- The list of hosts -->

  <module name="HiddenSearch" layoutPanel="panel_row3_col2" autoRun="true">
<param name="search">| metadata type=hosts | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update" | table host Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Hosts (%(count)s)</param>

  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="maxPages">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="drilldown">row</param>

      <module name="HiddenSearch">
    <param name="search">*</param>

    <module name="ConvertToIntention">
      <param name="intention">
        <param name="name">addterm</param>
        <param name="arg">
          <param name="host">$click.value$</param>
        </param>
      </param>

      <module name="ViewRedirector">
        <param name="viewTarget">flashtimeline</param>
        <param name="uriParam.auto_pause">true</param>
      </module>
    </module>
      </module>
    </module>
  </module>
</module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row1_col2" autoRun="true">
<param name="latest">now</param>
<param name="earliest">-15m</param>
<param name="search"><![CDATA[
| rest /services/data/indexes count=0  | chart sum(currentDBSizeMB) by title
]]></param>

<module name="HiddenChartFormatter">
  <param name="chart">pie</param>
  <param name="chartTitle">Index Sizes</param>

  <module name="JSChart" />
</module>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Indexes (%(count)s)</param>

  <module name="Paginator">
    <param name="entityName">results</param>

    <module name="SimpleResultsTable" />
  </module>
</module>
  </module>
</view>

chris · ‎01-25-2013

I'm assuming you're talking about this view at
http://yourserver/en-US/manager/search/data/ui/views:

The view/dashboard is in:
$SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml

You can go to the manager in the search app click "User Interface" and then "Views" there you see the dashboard_live you can clone it or edit it directly

Add panel to search home page dashboard

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Add panel to search home page dashboard

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey