Dashboards & Visualizations

Dashboard and Apps

bworrellZP
Communicator

Had a meeting with the boss today. He has asked if I can make a High level items dashboard. This Dashboard should use parts of the Cisco Security App's Dashboard, the Sourcefire EStreamer App, etc.

Is there an easy way to take parts of dashboards from various apps, and put them on one in the Search App?

Thank you in advance.
Brian

0 Karma
1 Solution

lguinn2
Legend

Look at the permissions on the individual reports that you want and make them "global." Note that only a Splunk admin can do that. Watch out for supporting knowledge objects - if any of the reports use tags or eventtypes, etc., those would also need to be made global.
Now you can create a dashboard (in any app you choose) that incorporates the various reports.

You could also create a new app, and clone all the reports and knowledge objects that you need into the new app. This might be better than making things global. You can set it up so that the high level dashboard is the default page when you go to the app. Then for some users, you could make that app the default. When they login, they would immediately land on the high-level dashboard.

As a final alternative, you might consider embedded reports, which don't even require a login to Splunk in order to view.
More info on Embedded Reports

View solution in original post

lguinn2
Legend

Look at the permissions on the individual reports that you want and make them "global." Note that only a Splunk admin can do that. Watch out for supporting knowledge objects - if any of the reports use tags or eventtypes, etc., those would also need to be made global.
Now you can create a dashboard (in any app you choose) that incorporates the various reports.

You could also create a new app, and clone all the reports and knowledge objects that you need into the new app. This might be better than making things global. You can set it up so that the high level dashboard is the default page when you go to the app. Then for some users, you could make that app the default. When they login, they would immediately land on the high-level dashboard.

As a final alternative, you might consider embedded reports, which don't even require a login to Splunk in order to view.
More info on Embedded Reports

bworrellZP
Communicator

Thank you for the response. That part I had already done. It appears there are scripts and lookups that are part of these apps. If I want to use the dashboards in the Search app, so I can combine them into the dashboard I want, have to assume I need to link to the scripts or move them.

Where would I need to move them (assuming I can find them)

Thanks

0 Karma

lguinn2
Legend

I don't think that you will need the scripts in order to use the dashboards, as scripts are generally used for only two things:

  1. Getting data into Splunk can use scripts for data collection
  2. Alert actions can trigger a script

Try it without those. In fact, reverse engineer by

  1. Examine the dashboards to identify the searches (embedded or saved reports)
  2. Examine the searches to see if they use any knowledge objects: macros, tags or eventtypes
  3. Find the knowledge objects and either make them global or clone them to the new app
  4. In the original app, check to see if there are any lookups (especially automatic lookups). If yes, make the lookup table global and make the lookup definition global. If an automatic lookup exists, you can make it global, but I probably would not. I would clone the automatic lookup into the new app.
  5. In the original app, check to see if there are any fields defined that the report needs. If yes, make the field definitions global. (They may already be global, depending on how they were defined.)

That should be it. If you truly must copy the script files, you will find them in SPLUNK_HOME/etc/apps/oldapp/bin; put them in the corresponding directory in the new app.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...