Dashboards & Visualizations
Highlighted

Dashboard and Apps

Communicator

Had a meeting with the boss today. He has asked if I can make a High level items dashboard. This Dashboard should use parts of the Cisco Security App's Dashboard, the Sourcefire EStreamer App, etc.

Is there an easy way to take parts of dashboards from various apps, and put them on one in the Search App?

Thank you in advance.
Brian

0 Karma
Highlighted

Re: Dashboard and Apps

Legend

Look at the permissions on the individual reports that you want and make them "global." Note that only a Splunk admin can do that. Watch out for supporting knowledge objects - if any of the reports use tags or eventtypes, etc., those would also need to be made global.
Now you can create a dashboard (in any app you choose) that incorporates the various reports.

You could also create a new app, and clone all the reports and knowledge objects that you need into the new app. This might be better than making things global. You can set it up so that the high level dashboard is the default page when you go to the app. Then for some users, you could make that app the default. When they login, they would immediately land on the high-level dashboard.

As a final alternative, you might consider embedded reports, which don't even require a login to Splunk in order to view.
More info on Embedded Reports

View solution in original post

Highlighted

Re: Dashboard and Apps

Communicator

Thank you for the response. That part I had already done. It appears there are scripts and lookups that are part of these apps. If I want to use the dashboards in the Search app, so I can combine them into the dashboard I want, have to assume I need to link to the scripts or move them.

Where would I need to move them (assuming I can find them)

Thanks

0 Karma
Highlighted

Re: Dashboard and Apps

Legend

I don't think that you will need the scripts in order to use the dashboards, as scripts are generally used for only two things:

  1. Getting data into Splunk can use scripts for data collection
  2. Alert actions can trigger a script

Try it without those. In fact, reverse engineer by

  1. Examine the dashboards to identify the searches (embedded or saved reports)
  2. Examine the searches to see if they use any knowledge objects: macros, tags or eventtypes
  3. Find the knowledge objects and either make them global or clone them to the new app
  4. In the original app, check to see if there are any lookups (especially automatic lookups). If yes, make the lookup table global and make the lookup definition global. If an automatic lookup exists, you can make it global, but I probably would not. I would clone the automatic lookup into the new app.
  5. In the original app, check to see if there are any fields defined that the report needs. If yes, make the field definitions global. (They may already be global, depending on how they were defined.)

That should be it. If you truly must copy the script files, you will find them in SPLUNK_HOME/etc/apps/oldapp/bin; put them in the corresponding directory in the new app.

0 Karma