Dashboards & Visualizations

Dashboards - Panels within panels

Armyeric
Path Finder

I am trying to build a master dashboard that will display multiple single alarms. I would like to use a panel to group 2 or 3 similar panels. There are a few comments indicating panel limit or performance issue if you have too many panels, but these are single views (probably about 15 in total). This is mainly for a SOC display so we can see general issues at a glance.

Example:
Panel 1 AD [(AD elevated group modification)(AD expired accounts)(AD account lockout count)]
Panel 2 AirMagnet [(Rouge Accounts detected)(Sensor Count)(Sensor failures)]
Panel 3 AV [(Threats not Remediated)(Threats detected)]
etc., etc., etc...

I have tried using tables in tables, tables in rows...

Thoughts...suggestions...?

Tags (2)
0 Karma
1 Solution

rturk
Builder

Hi Armyeric,

I would recommend having a look at the Splunk Dashboard Examples app to see how this is done (as well as many other things). The only this is you'll have to start dealing with Advanced XML

For example, in the Splunk for Palo Alto Networks app, on the "PAN Overview" page you have multiple elements embedded in a single panel:

alt text
(Never mind that there's no data in there - you get the idea)

Also, if you poke and prod around other apps and see something you like, you can always put:

?showsource=1

...on the end of the URL to see how they implemented it and re-use it for your own needs.

Hope this helps 🙂

References:

View solution in original post

kmattern
Builder

If you want to use Sideview Utils you can do something like this and output your data n HTML. It's much neater and easier to format the output exactly as you wish. Again, Advanced XML, but it's worth it.

  <module name="Search" layoutPanel="panel_row1_col1_grp1" group="Page Views by Type for Yesterday" autoRun="True">
  <param name="search">
  sourcetype="solaris" earliest=-1d@d latest=-d /composites/events WebPage!="index.htm*" | stats count(WebPage) as "Events"
| append [search sourcetype="solaris" earliest=-1d@d latest=-d /composites/safety WebPage!="index.htm*" | stats count(WebPage)  as "Safety"]
| append [search sourcetype="solaris" earliest=-1d@d latest=-d /composites/maint WebPage!="index.htm*" | stats count(WebPage)  as "Maintenance"]
| append [search sourcetype="solaris" earliest=-1d@d latest=-d /composites/design WebPage!="index.htm*" | stats count(WebPage)  as "Design"]
</param> 
- <module name="HTML" layoutPanel="panel_row1_col1_grp1">
<parm name="maxRows">11</parm>
- <param name="html">
- <![CDATA[ 
<style type="text/css">
  .dashboardCell .HTML {
    padding:0px;
    margin:0px;
  }
</style>
<h3>Events = $results[0].Events$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<h3>Safety and Training = $results[1].Safety$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<h3>Maintenance and Repair = $results[2].Maintenance$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<h3>Design, Engineering and Fabrication = $results[3].Design$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  ]]> 
  </param>
  </module>
  </module>
0 Karma

Armyeric
Path Finder

Thanks kmattern. I am looking in to both items mentioned.

0 Karma

rturk
Builder

Hi Armyeric,

I would recommend having a look at the Splunk Dashboard Examples app to see how this is done (as well as many other things). The only this is you'll have to start dealing with Advanced XML

For example, in the Splunk for Palo Alto Networks app, on the "PAN Overview" page you have multiple elements embedded in a single panel:

alt text
(Never mind that there's no data in there - you get the idea)

Also, if you poke and prod around other apps and see something you like, you can always put:

?showsource=1

...on the end of the URL to see how they implemented it and re-use it for your own needs.

Hope this helps 🙂

References:

Armyeric
Path Finder

Thanks for the info. I am unfortunately stuck on 4.3.1, but your response put me in the right direction. UI_Examples is for 4.3+ users

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...