Dashboards & Visualizations

Dashboards - Panels within panels

Armyeric
Path Finder

I am trying to build a master dashboard that will display multiple single alarms. I would like to use a panel to group 2 or 3 similar panels. There are a few comments indicating panel limit or performance issue if you have too many panels, but these are single views (probably about 15 in total). This is mainly for a SOC display so we can see general issues at a glance.

Example:
Panel 1 AD [(AD elevated group modification)(AD expired accounts)(AD account lockout count)]
Panel 2 AirMagnet [(Rouge Accounts detected)(Sensor Count)(Sensor failures)]
Panel 3 AV [(Threats not Remediated)(Threats detected)]
etc., etc., etc...

I have tried using tables in tables, tables in rows...

Thoughts...suggestions...?

Tags (2)
0 Karma
1 Solution

rturk
Builder

Hi Armyeric,

I would recommend having a look at the Splunk Dashboard Examples app to see how this is done (as well as many other things). The only this is you'll have to start dealing with Advanced XML

For example, in the Splunk for Palo Alto Networks app, on the "PAN Overview" page you have multiple elements embedded in a single panel:

alt text
(Never mind that there's no data in there - you get the idea)

Also, if you poke and prod around other apps and see something you like, you can always put:

?showsource=1

...on the end of the URL to see how they implemented it and re-use it for your own needs.

Hope this helps 🙂

References:

View solution in original post

kmattern
Builder

If you want to use Sideview Utils you can do something like this and output your data n HTML. It's much neater and easier to format the output exactly as you wish. Again, Advanced XML, but it's worth it.

  <module name="Search" layoutPanel="panel_row1_col1_grp1" group="Page Views by Type for Yesterday" autoRun="True">
  <param name="search">
  sourcetype="solaris" earliest=-1d@d latest=-d /composites/events WebPage!="index.htm*" | stats count(WebPage) as "Events"
| append [search sourcetype="solaris" earliest=-1d@d latest=-d /composites/safety WebPage!="index.htm*" | stats count(WebPage)  as "Safety"]
| append [search sourcetype="solaris" earliest=-1d@d latest=-d /composites/maint WebPage!="index.htm*" | stats count(WebPage)  as "Maintenance"]
| append [search sourcetype="solaris" earliest=-1d@d latest=-d /composites/design WebPage!="index.htm*" | stats count(WebPage)  as "Design"]
</param> 
- <module name="HTML" layoutPanel="panel_row1_col1_grp1">
<parm name="maxRows">11</parm>
- <param name="html">
- <![CDATA[ 
<style type="text/css">
  .dashboardCell .HTML {
    padding:0px;
    margin:0px;
  }
</style>
<h3>Events = $results[0].Events$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<h3>Safety and Training = $results[1].Safety$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<h3>Maintenance and Repair = $results[2].Maintenance$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<h3>Design, Engineering and Fabrication = $results[3].Design$</h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  ]]> 
  </param>
  </module>
  </module>
0 Karma

Armyeric
Path Finder

Thanks kmattern. I am looking in to both items mentioned.

0 Karma

rturk
Builder

Hi Armyeric,

I would recommend having a look at the Splunk Dashboard Examples app to see how this is done (as well as many other things). The only this is you'll have to start dealing with Advanced XML

For example, in the Splunk for Palo Alto Networks app, on the "PAN Overview" page you have multiple elements embedded in a single panel:

alt text
(Never mind that there's no data in there - you get the idea)

Also, if you poke and prod around other apps and see something you like, you can always put:

?showsource=1

...on the end of the URL to see how they implemented it and re-use it for your own needs.

Hope this helps 🙂

References:

Armyeric
Path Finder

Thanks for the info. I am unfortunately stuck on 4.3.1, but your response put me in the right direction. UI_Examples is for 4.3+ users

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...