Dashboards & Visualizations

How to create a Read-Only dashboard in Splunk - Configuration steps

lindbergh_calde
Explorer

I have created this quick guide which I collated from different posts, which should be able to help other Splunkers do the same.

1 Solution

lindbergh_calde
Explorer

Create an copy of the Search and Reporting app
Note: Creating a copy of the search and reporting app will allow for making the required customisation's without the interfering with the original Search and Reporting app used by other roles (admins, power users, etc.) of the system.
For this article the new app will be labelled "University Management App"

Create a New Role
Create a new role e.g Management_Users via:
Settings -> Access Control -> Roles
Assign this role the default app: (University Management App). This app will contains the dashboards created specifically for the Management_Users role
Assign this new role (Management_Users) the same privileges as the "User" role
Under "Indexes search by default" and "Indexes" select the indexes that will be search for the management dashboard. Only assign the required indexes
Save the new role

Customise University Management App Permissions
Set the permissions for this app via Apps -> Manage Apps > University Management App ->Sharing -> Permissions
Admin - Read, Write
Management_Users - Read Only
(No other roles are configured)
Note: Ensure that any Techonology-Addons that will be used for populating the dashboard created within this app, the Management_Users role will need read access.

Create and Customise the Management Dashboard
Select the University Management App. Create a new dashboard labelled "Management Ops Centre" and add the different panels as desired.
Since these dashboard are only meant for read-only purposes, the other navigation menus (alerts, reports, search) can be removed as follows:
To remove Alerts:
Settings-> User Interface -> Views (App Context = All and Owner = Any)
Under "View name" select "alerts"
Select permissions and remove read access to the Management_Users role
Refresh the University Management App, the alerts navigation menu will disappear.

To remove Search:
Settings-> User Interface -> Views (App Context = All and Owner = Any)
Under "View name" select "flashtimeline"
Select permissions and remove read access to the Management_Users role
Refresh the University Management App, the Search navigation menu will disappear.

To remove Reports:
Settings-> User Interface -> Views (App Context = All and Owner = Any)
Under "View name" select "reports"
Select permissions and remove read access to the Management_Users role
Refresh the University Management App, the Reports navigation menu will disappear

To ensure the "Management Ops Centre" will show up as the first screen whenever users from the Management_Users role access splunk
Configure as follows:
Settings -> User Interface -> Navigation Menus (App Context = University Management App and Owner=Any), select the checkbox " Show only objects created in this app context"
Select the "Nav name" default
Change the XML file as follows:

<view name="flashtimeline" default='false' />
<view name="Management_Ops_Centre" default='true'/>  

For each for panels built within the dashboard e.g column panel, the user will still be able to "drilldown" by clicking any of the columns or clicking the options menu (Open in Search, Inspect, and Export) at the bottom of the panel.
remove these features configure as follows:
Settings -> User Interface -> Views (App Context = University Management App and Owner=Any), select the ceckbox " Show only objects created in this app context"
Select the "View name" Management_Ops_Centre
Update the XML file as follows
Change the drilldown line as below:

  <option name="charting.drilldown">none</option>

Add the line before the parameter for each of the panels:

<option name="link.visible">false</option>

View solution in original post

Skins
Path Finder

Thanks for this post - in a multi tenanted environment - how would this scale ? It you have several apps that each require a Management view only dashboard - you would have to create several management apps right ?

0 Karma

niketn
Legend

@lindbergh.caldeira, @sandeeprachuri, refer to this answer using JavaScript to disable access to Form Controls based on Access of the logged in User.

https://answers.splunk.com/answers/575377/can-i-restrict-permissions-for-the-text-box-drilld.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sandeeprachuri
Path Finder

Thank you so much. This is wonderful piece of information. I will definitely use.

0 Karma

lindbergh_calde
Explorer

Create an copy of the Search and Reporting app
Note: Creating a copy of the search and reporting app will allow for making the required customisation's without the interfering with the original Search and Reporting app used by other roles (admins, power users, etc.) of the system.
For this article the new app will be labelled "University Management App"

Create a New Role
Create a new role e.g Management_Users via:
Settings -> Access Control -> Roles
Assign this role the default app: (University Management App). This app will contains the dashboards created specifically for the Management_Users role
Assign this new role (Management_Users) the same privileges as the "User" role
Under "Indexes search by default" and "Indexes" select the indexes that will be search for the management dashboard. Only assign the required indexes
Save the new role

Customise University Management App Permissions
Set the permissions for this app via Apps -> Manage Apps > University Management App ->Sharing -> Permissions
Admin - Read, Write
Management_Users - Read Only
(No other roles are configured)
Note: Ensure that any Techonology-Addons that will be used for populating the dashboard created within this app, the Management_Users role will need read access.

Create and Customise the Management Dashboard
Select the University Management App. Create a new dashboard labelled "Management Ops Centre" and add the different panels as desired.
Since these dashboard are only meant for read-only purposes, the other navigation menus (alerts, reports, search) can be removed as follows:
To remove Alerts:
Settings-> User Interface -> Views (App Context = All and Owner = Any)
Under "View name" select "alerts"
Select permissions and remove read access to the Management_Users role
Refresh the University Management App, the alerts navigation menu will disappear.

To remove Search:
Settings-> User Interface -> Views (App Context = All and Owner = Any)
Under "View name" select "flashtimeline"
Select permissions and remove read access to the Management_Users role
Refresh the University Management App, the Search navigation menu will disappear.

To remove Reports:
Settings-> User Interface -> Views (App Context = All and Owner = Any)
Under "View name" select "reports"
Select permissions and remove read access to the Management_Users role
Refresh the University Management App, the Reports navigation menu will disappear

To ensure the "Management Ops Centre" will show up as the first screen whenever users from the Management_Users role access splunk
Configure as follows:
Settings -> User Interface -> Navigation Menus (App Context = University Management App and Owner=Any), select the checkbox " Show only objects created in this app context"
Select the "Nav name" default
Change the XML file as follows:

<view name="flashtimeline" default='false' />
<view name="Management_Ops_Centre" default='true'/>  

For each for panels built within the dashboard e.g column panel, the user will still be able to "drilldown" by clicking any of the columns or clicking the options menu (Open in Search, Inspect, and Export) at the bottom of the panel.
remove these features configure as follows:
Settings -> User Interface -> Views (App Context = University Management App and Owner=Any), select the ceckbox " Show only objects created in this app context"
Select the "View name" Management_Ops_Centre
Update the XML file as follows
Change the drilldown line as below:

  <option name="charting.drilldown">none</option>

Add the line before the parameter for each of the panels:

<option name="link.visible">false</option>

sandeeprachuri
Path Finder

Perfect.. Thank you so much. looking for this kind of access for some time and it worked amazingly.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...