Dashboards & Visualizations

What is a good way to represent weekly AND monthly statistics gracefully?

Shadoninja
New Member

I currently know of two ways to give people weekly and monthly data in a decent format.

Method 1:

Write two of every search with the range of one being a week and another being a month. Make two dashboards: one of all the week visualizations, one of all the month visualizations.

Method 2:

Use xml to generate drop down menus at the top of the page and then have the searches on that page be written in-line with variables that are decided by what the user selects on the drop down menu.

Both of those methods are half of what I want. Does anyone have something better than these two solutions? Method one takes up double the space all because of a time range. Method two makes the searches separate from everything except the exact dashboard they are on.

EDIT: Using Splunk 5.0.5 at a company. System isn't going to be updated until September

0 Karma

Shadoninja
New Member

Thank you. The "technical" aspect I was referring to is the maintenance of my dashboards as well as the creation of more from future developers. I am not worried about the support team that will be navigating the dashboards from the user level.

BUT your confidence in method 2 has encouraged me to target that as the way to create these. Thank you guys

0 Karma

strive
Influencer

We use method 2 for most of our dashboards. Even the end users who are using the application can use the dashboards with out any user guides. Time filters like these are self explanatory. I think the KT sessions on how to use Method2 should be sufficient for others to get going.

There is other way that is to implement drilldown. First you will load monthly chart. Then clicking on the chart you will load another chart below the first chart to show that weeks' data. According to me this is little more complicated than your Method 2.

The visualization depends on the usecase as well 🙂

0 Karma

Shadoninja
New Member

I am going to be passing all my work on in about 4 weeks and method 2, while being effective, seems very technical when compared to the use of saved searches. I can do it, but I feel maintenance down the road for other people would be rather difficult (that may be a false assumption). I will be doing method 2 if there is not a solution that I like more.

EDIT: I am also responsible for setting the foundation of standards in this system and I am worried that method 2 is a bit awkward when saved searches have so much support built in.

0 Karma

somesoni2
Revered Legend

I agree with cons of method 1 which requires everything double because of two time ranges. Could you explain more on cons for Method 2? I am not sure if I got it all. (Method 2 is the one I use for most of my dashboards)

0 Karma

tom_frotscher
Builder

Maybe you can use the new "Zoom to another chart" feature to show a complete month of data and enable the user to drilldown to a time window they want to see (which can be a week). This feature is available since 6.1 if i remember correctly.

link to the docu

Shadoninja
New Member

I am on 5.0.5 unfortunately with no chance of changing that while I am on this project

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...