Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Basic Dashboard
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
peter_gianusso
Communicator
03-11-2013
12:20 PM
Looking for a basic dashboard that does things like the following:
- number of events indexed over the past 7 days by day
- top 5 source types indexed in the past 7 days
- top 5 alerts emailed in the past 7 days by sourcetype
I looked through the dashboard example application and the examples are just not relevant.
thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-11-2013
01:37 PM
Events indexed in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*
Top 5 sourcetypes in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series
Top 5 alerts emailed in last 7 days
index=_audit action=alert_fired | top limit=5 ss_name
Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search
Choose a visualization you like from the samples, replace the search with the ones above and away you go ..
Because my simplexml-fu is weak
Example :
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Throughput Summary</label>
<row>
<chart>
<searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Indexed Events</title>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
</chart>
</row>
<row>
<table>
<searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Sourcetype by Volume</title>
</table>
</row>
<row>
<table>
<searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Alert Generating Searches</title>
</table>
</row>
</dashboard>
And because advanced XML is better
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>Throughput Summary</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
<param name="charting.chart">column</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="JSChart"/>
</module>
<module name="HiddenPostProcess">
<param name="search">addtotals | fields _time Total </param>
<module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-11-2013
01:37 PM
Events indexed in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*
Top 5 sourcetypes in last 7 days
earliest=-7d@d latest=@d index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | top limit=5 series
Top 5 alerts emailed in last 7 days
index=_audit action=alert_fired | top limit=5 ss_name
Getting this by sourcetype doesn't make sense. Alerts are not bound by sourcetypes, they're orthogonal concepts. Conditions for alerts are independent of the sourcetype, unless you specify it in the alert search
Choose a visualization you like from the samples, replace the search with the ones above and away you go ..
Because my simplexml-fu is weak
Example :
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Throughput Summary</label>
<row>
<chart>
<searchString>index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_*</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Indexed Events</title>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
</chart>
</row>
<row>
<table>
<searchString>index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -count | head 5 | rename series as Sourcetype</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Sourcetype by Volume</title>
</table>
</row>
<row>
<table>
<searchString>index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</searchString>
<earliestTime>-7d@d</earliestTime>
<latestTime>@d</latestTime>
<title>Top 5 Alert Generating Searches</title>
</table>
</row>
</dashboard>
And because advanced XML is better
<view autoCancelInterval="90" isVisible="true" objectMode="SimpleDashboard" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
<label>Throughput Summary</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="DashboardTitleBar" layoutPanel="viewHeader"/>
<module name="HiddenSearch" layoutPanel="panel_row1_col1_grp1" group="Indexed Events" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_index_thruput" | timechart span=1d sum(ev) by series | fields - VALUE_* | fillnull value=0</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row1_col1_grp1">
<param name="charting.chart">column</param>
<param name="charting.chart.stackMode">stacked</param>
<module name="JSChart"/>
</module>
<module name="HiddenPostProcess">
<param name="search">addtotals | fields _time Total </param>
<module name="SimpleResultsTable" layoutPanel="panel_row1_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row2_col1_grp1" group="Top 5 Sourcetypes by Volume" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_internal source="*metrics.log" group="per_sourcetype_thruput" NOT (series=splunk* OR series=searches OR series=audittrail OR series=stash OR series=scheduler) | stats sum(ev) as Events by series | sort -Events | head 5 | rename series as Sourcetype</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row2_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row2_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row3_col1_grp1" group="Top 5 Saved Searches by Alert Generation" autoRun="True">
<param name="earliest">-7d@d</param>
<param name="latest">@d</param>
<param name="search">index=_audit action=alert_fired | top limit=5 ss_name | rename ss_name as "Saved Search" count as Alerts | fields - percent</param>
<module name="JobProgressIndicator">
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="HiddenChartFormatter" layoutPanel="panel_row3_col1_grp1">
<param name="charting.chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0</param>
<module name="JSChart"/>
</module>
<module name="SimpleResultsTable" layoutPanel="panel_row3_col1_grp2">
<param name="displayRowNumbers">off</param>
</module>
</module>
</module>
</module>
</view>
Get Updates on the Splunk Community!
Application management with Targeted Application Install for Victoria Experience
Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...
Index This | What goes up and never comes down?
January 2026 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination
The Power of Two: Splunk + Cisco at "Ludicrous Scale"
You know Splunk. You know Cisco. But have you seen ...
