Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sample Dashboard ideas

splunklearner
Communicator
‎01-28-2025 02:34 AM

Hello all,

I have an ask to create a sample dashboard with the data present. Hence I have created following panels with dropdowns available:

  1. Total Traffic vs Attack Traffic -  | stats count as "Total Traffic" count(eval(isnotnull(attack_type))) as "Attack Traffic".
  2. Top 10 Hostnames / FQDN Targeted - |stats count by fqdn
  3. No of Error logs - |search severity = Error |stats count
  4. No of Critical logs - |search severity = Critical |stats count
  5. Attack Classification by % - (Num of Attacks) - |top limit=10 attack_type
  6. Top 10 IP Addresses - | top ip_client limit=10
  7. Daily Attack Trend - |timechart count(attack_type) as count span=1d
  8. Weekly Attack Trend - |timechart count(attack_type) as count span=1w
  9. Status Codes Trend - |stats count by response_code
  10. HTTP Method Used - |stats count by method
  11. Log Details - |table _time, ip_client, method, policy_name, response_code, support_id, severity, violations, sub_violations, violation_rating, uri

All searches followed by base search.

Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well.

Labels (5)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-28-2025 03:17 PM

To go slightly tangential to your post, you refer to base searches. Note that a base search that does NOT do aggregation is a bad use of a base search, so if you are just doing

index=xxx
| fields *

in your base search and not doing a transforming command, that is not a good example to be showing in an example dashboard. It will often perform worse than one using a transforming command, but also has significant limitations in that it can only hold a limited set of results.

See this

https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/Savedsearches#Post-process_searches_2

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-28-2025 05:22 AM

The main question is what the dashboard is supposed to be for.

Are you solving some problem from within your organization? In such case - as @richgalloway pointed out - you should have requirements for this dashboard.

Are you preparing a PoC/PoV as a partner? Consult partner portal resources for existing demo resources.

Are you looking to expand existing Splunk infrastructure within your company to different divisions and use cases? Consult potential stakeholders and check what would be their expectations on the product and try to make something targeting their needs.

The general answer is "depends on what you have and what you need".

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2025 05:04 AM
Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well.

These are questions only your stakeholders can answer.  If the proposed panels answer the questions they have or solve their problems then modifications may not be necessary.

---
If this reply helps you, Karma would be appreciated.
Reply

splunklearner
Communicator
‎01-28-2025 07:26 AM

Actually it is a new project and creating sample dashboards for application teams. Just want to check any use cases I can get related to my fields given above...

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-29-2025 01:23 AM

It is the same answer as @richgalloway already gave - check with your stakeholders as to what they want. There is little point building a dashboard that nobody is going to use! Start small with just one or two panels and see if they find it useful and ask them how it might be changed and what else they might want to see.

Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top