Splunk Search

Dashboard templates

ysouchon
Explorer

Hello,

I know quite good Splunk, at least the basic concepts. I have recently created a dashboard with few panels based on summary index searches. This dashboard helps me to get charts about a bunch of servers.

Because I have different group of servers around the world, I would like to generate the same kind of dashboards, but based on different servers.

It takes time to create all searches, and then the related dashboard. What is the best way to do the same for other group of servers ? Do I need to create everything manually ? Or does Splunk have another way based on templates to do the same ?

I wish I can create a dashboard template and call it with several parameters (like the name of the other group of servers for example) to generate my dashboard.

Thanks in advance for helping me to find the right way.

Yann

0 Karma
1 Solution

mw
Splunk Employee
Splunk Employee

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>

View solution in original post

mw
Splunk Employee
Splunk Employee

You can use what's called "Simplified XML" in order to create a pulldown for each group of servers, where the selection of a value populates dashboard searches. The best reference for this stuff is in the "UI Examples" app, available on splunkbase. Here's some XML from one of those views (you should just be able to paste this into a new view in Manager):

<form>
  <label>Panel-defined search driven by select drop down</label>

  <fieldset>
       <!-- Define a simple dropdown form driven by a search -->
       <input type="dropdown" token="sourcetype">
           <label>Sourcetype</label>
           <suffix>*</suffix>
           <populatingSearch fieldForValue="series" fieldForLabel="series" earliest="-60m">index=_internal source=*metrics.log group="per_sourcetype_thruput" | chart count over series</populatingSearch>
       </input>
      <input type="time" />
  </fieldset>


  <row>
      <html>
        <h1>Multi-panel linked form search</h1>
        <p>This form search will dispatch 4 seperate searches, each listening
          to the common 'sourcetype' text box input.  This is useful for rendering
          pages that collate disparate searches that share a common search keyword/token.
        </p>
        <p>
          This form search is nearly identical to <a href="form4">Form search 4 - inverted flow, panel-defined post-process</a>.
        </p>
        <p>NOTE: because this page dispatches multiple searches, the JobStatus bar
          does not appear.
        </p> 
      </html>
  </row>

  <row>
      <chart>
          <title>KB Indexed over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart sum(kb)</searchTemplate>
          <option name="charting.chart">area</option>
      </chart>
      <table>
          <title>average kbps over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(kbps)</searchTemplate>
      </table>
  </row>

  <row>
      <table>
          <title>Max events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart max(eps)</searchTemplate>
          <option name="count">20</option>
      </table>
      <chart>
          <title>Average events per second over time</title>
          <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series="$sourcetype$" | timechart avg(eps)</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.legend.placement">none</option>
      </chart>
  </row>

</form>
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...