Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Dashboard templates

ysouchon
Explorer
‎11-25-2010 01:49 PM

Hello,

I know quite good Splunk, at least the basic concepts. I have recently created a dashboard with few panels based on summary index searches. This dashboard helps me to get charts about a bunch of servers.

Because I have different group of servers around the world, I would like to generate the same kind of dashboards, but based on different servers.

It takes time to create all searches, and then the related dashboard. What is the best way to do the same for other group of servers ? Do I need to create everything manually ? Or does Splunk have another way based on templates to do the same ?

I wish I can create a dashboard template and call it with several parameters (like the name of the other group of servers for example) to generate my dashboard.

Thanks in advance for helping me to find the right way.

Yann

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎11-27-2010 04:45 AM

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎11-27-2010 04:45 AM

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...