Merging Dashboards

splunklearner · ‎02-04-2025

Till date, we have seperate dashboards for seperate application teams. Now the ask is to create a common dashboard for all applications. Is it really possible?

We have restricted users via index to refrain from other applications.

We dont have any app_name specific in logs as well... Only index wise logs are segregated and sourcetype is also same. The log format for all applications is similar.

How can I achieve this? Should I extract app_name from the host we have and keep it in drop-down and involve index as well in drop-down?

Is it really possible? Please help me with your action plan for this.

ITWhisperer · ‎02-04-2025

Index access is controlled by role so if your separate groups of users as assigned different roles, with each role only able to access the indexes associated with their app then they can use a common search which list all the indexes and they will each only be able to see the data from the indexes they have access to.

splunklearner · ‎02-04-2025

Hi @ITWhisperer ,

Thanks for sharing.

I am okay with users. But we have few roles like engineer who should have access to all indexes. What can I do in this case? Can I give index names in drop-down and pass that token in base search like index=$index_name$? Will it work?

BTW, is it a good practice to have a common dashboard with multiple indexes (may be 200+). It is okay for users who load Splunk because they are restricted to specific indexes.

But what about the Enginner role and admin? Everytime we run the dashboard all indexes will be run by default (*) and will it be performance issues in Splunk? How to overcome this?

gcusello · ‎02-04-2025

Hi @splunklearner ,

maybe you should redesign your indexes because hundreds of indexes are really too many!

About the dashboard, you could configure your input to not automatically run the searches (no defaut value) so all the users (also admins) must choose the indexes to use in the search.

Or for admins, create a different search with an additional panel (with a fast search) to select only one or few indexes to display.

Last choose (the most structured): put your data in a custom Data Model and use it in the dashboard searches.

Ciao.

Giuseppe

ITWhisperer · ‎02-04-2025

Yes you can use tokens from a dropdown as you suggested to limit the indexes searched.

splunklearner · ‎02-04-2025

first dashboard - Base Search

index=A OR B |search attack_type = "$att_type$" severity = "$severity$" vs_name = "$vs_name$" violations = "$violations$" sub_violations = "$sub_viol$" uri = "$uri$"

2nd dashboard - Base Search

index=C OR D |search attack_type = "$att_type$" severity = "$severity$" vs_name = "$vs_name$" violations = "$violations$" sub_violations = "$sub_viol$" uri = "$uri$"

Log format is similar but need to merge these dashboards to one and all app owners will have access to this common dashboard and they should access to their respective app indexes only.

gcusello · ‎02-04-2025

Hi @splunklearner .

could you share the two main searches in the two dashboards?

Ciao.

Giuseppe

Merging Dashboards

Classic dashboard

form

panel

token

trellis layout

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

It’s go time — Boston, here we come!

Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...

Are you a member of the Splunk Community?

Merging Dashboards