Dashboards & Visualizations

Basic Dashboard

peter_gianusso
Communicator

Looking for a basic dashboard that does things like the following:

  • number of events indexed over the past 7 days by day
  • top 5 source types indexed in the past 7 days
  • top 5 alerts emailed in the past 7 days by sourcetype

I looked through the dashboard example application and the examples are just not relevant.

thanks!

Tags (1)
0 Karma
1 Solution

jonuwz
Influencer

Events indexed in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* 

Top 5 sourcetypes in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series

Top 5 alerts emailed in last 7 days

index=_audit action=alert_fired | top limit=5 ss_name

Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search

Choose a visualization you like from the samples, replace the search with the ones above and away you go ..

Because my simplexml-fu is weak

Example :

    <?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Throughput Summary</label>
  <row>
    <chart> 
      <searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Indexed Events</title>
      <option name="charting.chart">column</option>
      <option name="charting.chart.stackMode">stacked</option>
    </chart>
  </row>
  <row>
    <table>
      <searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Sourcetype by Volume</title>
    </table>
  </row>
  <row>
    <table>
      <searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Alert Generating Searches</title>
    </table>
  </row>
</dashboard>

And because advanced XML is better

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <label>Throughput Summary</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>

  <module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
          <param name="charting.chart">column</param>
          <param name="charting.chart.stackMode">stacked</param>
          <module name="JSChart"/>
        </module>
        <module name="HiddenPostProcess">
          <param name="search">addtotals | fields _time Total </param>
          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
            <param name="displayRowNumbers">off</param>
          </module>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
            <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
          <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

</view>

View solution in original post

jonuwz
Influencer

Events indexed in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* 

Top 5 sourcetypes in last 7 days

earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series

Top 5 alerts emailed in last 7 days

index=_audit action=alert_fired | top limit=5 ss_name

Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search

Choose a visualization you like from the samples, replace the search with the ones above and away you go ..

Because my simplexml-fu is weak

Example :

    <?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Throughput Summary</label>
  <row>
    <chart> 
      <searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Indexed Events</title>
      <option name="charting.chart">column</option>
      <option name="charting.chart.stackMode">stacked</option>
    </chart>
  </row>
  <row>
    <table>
      <searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Sourcetype by Volume</title>
    </table>
  </row>
  <row>
    <table>
      <searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
        <earliestTime>-7d@d</earliestTime>
        <latestTime>@d</latestTime>
      <title>Top 5 Alert Generating Searches</title>
    </table>
  </row>
</dashboard>

And because advanced XML is better

<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <label>Throughput Summary</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  <module name="DashboardTitleBar" layoutPanel="viewHeader"/>

  <module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
          <param name="charting.chart">column</param>
          <param name="charting.chart.stackMode">stacked</param>
          <module name="JSChart"/>
        </module>
        <module name="HiddenPostProcess">
          <param name="search">addtotals | fields _time Total </param>
          <module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
            <param name="displayRowNumbers">off</param>
          </module>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
            <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
    <param name="earliest">-7d@d</param>
    <param name="latest">@d</param>
    <param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
    <module name="JobProgressIndicator"> 
      <module name="EnablePreview">
        <param name="display">False</param>
        <param name="enable">True</param>
        <module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
          <param name="charting.chart">pie</param>
          <param name="charting.chart.sliceCollapsingThreshold">0</param>
          <module name="JSChart"/>
        </module>
        <module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
          <param name="displayRowNumbers">off</param>
        </module>
      </module>
    </module>
  </module>

</view>
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...