I have a handful of searches that I want to build into reports and dashboards so I can collaborate with my team. Can you give me a sketch of how Splunk reports and dashboards work?
Dashboards are where search results coalesce into a way to visualize and analyze the meaning in your data.
Note: This answer applies to Splunk Enterprise and Splunk Cloud.
A dashboard is a collection of views made up of panels representing your search results. Each panel presents the results of a search, often as a visualizations, such as a table, chart, graph, or even something custom. The dashboard editor enables you to build dashboards using drag-and-drop editing, or using underlying markup Simple XML. You can reuse dashboard panels across various dashboards by creating prebuilt panels.
SPL supports many types of commands that can clarify the lens through which you see your data. For example, you can use transforming commands in your SPL queries to build statistics and advanced visualizations.
Hi @divyagiri, @SloshBurch is absolutely correct. The best place to begin would be to work through the Splunk Search Tutorial: https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial.
It sounds like you're not the one creating the searches that back the visualizations on an existing dashboard? Otherwise, you would see the direct results of your search, called "events" populated in a table before choosing a visualization that represents that data, and then creating a dashboard. The fields that are extracted which group these events are listed to the left of the statistics table. Once you see the results of your data, you can choose a visualization if you've used a command that results in a statistics table. You'll see this option in a tab above the results table.
The Splunk Search tutorial is an excellent place to start, but so is the Splunk Dashboards and Visualizations Manual https://docs.splunk.com/Documentation/Splunk/latest/Viz/Aboutthismanual
And, yes, if someone has shared a dashboard with you and you have the correct permissions or they've set up the option, you can hover over the visualization to "Open in Search" and see the raw data for yourself.
Best,
Eve
Dashboards are where search results coalesce into a way to visualize and analyze the meaning in your data.
Note: This answer applies to Splunk Enterprise and Splunk Cloud.
A dashboard is a collection of views made up of panels representing your search results. Each panel presents the results of a search, often as a visualizations, such as a table, chart, graph, or even something custom. The dashboard editor enables you to build dashboards using drag-and-drop editing, or using underlying markup Simple XML. You can reuse dashboard panels across various dashboards by creating prebuilt panels.
SPL supports many types of commands that can clarify the lens through which you see your data. For example, you can use transforming commands in your SPL queries to build statistics and advanced visualizations.
,How do I validate the data in the dashboard against the source data?
Hi @divyagiri - I think that will be better handled as a new question all together. In such a post, provide some information about what you're facing. For example, are you trying to validate that the panels are showing all the relevant data? Are you concerned about if that data has all been received yet? Doubts about the underlying search? Issues with the source data before it gets to Splunk? There's a lot of ways this question can go.
Hi @SloshBurch,
My question is how do I make sure that the panels are showing the exact data. For an instance at the source the value is "100" and in the dashboard it should be "100". So is there any check mechanism to validate that data?
Hi @divyagiri - I'm having trouble finding the docs page that shows this, but if you mouse over a dashboard panel then the bottom right will expand to show a number of controls. The first item is a magnifying glass which can be used to open the search in a new window where you can inspect it and validate the underlying data. If those buttons do not appear then it's possible the dashboard creator included an option to hide them. Alternatively, when editing a dashboard you can find similar controls as outlined in the Add controls to a dashboard section of the Create dashboards and panels topic of the Splunk® Enterprise Search Tutorial manual.
I highly recommend that further questions on this be spun up as a new question post so the question can get better visibility and help.
Added related video.