Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a means to create a dashboard that is in either the ES app or ties into panels extracted from it?

brian1_tate
Path Finder
‎09-03-2016 09:27 AM

My organization (After much thought of spamming people with constantly alerts of various failures and I mean up to 500GB daily indexed volume) we have decided on a dashboard of relevant panels. Our team has been used to looking at ArcSight daily so they are expecting a similar view (one that refreshes individual panels - since logon events occur so fast that even a 10 minute interval is sometimes not fast enough). Is there a means to perhaps tie this into the ES Secuity App as a standalone dashboard (maybe linking it somewhere) since many if not all the panels are usually found in the ES app anyway?

Has anyone does this or does anyone have any ideas? I'm not super pleased with Splunk support as I opened a Sev2 case with them yesterday morning and have yet to get a call from them...

Thnx

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎09-06-2016 10:47 AM

Brian, you can create your own dashboards and link them into the ES app if that is where you want the app to live.

You will want to make sure if you create your dashboard in search or elsewhere that it has rights to be seen in ES. Once it has rights, you can navigate to Configure -> General -> Navigation and select the dashboard in the Unused Reports list on the left side of the screen and drop it into the Navigation of ES. It can be a top level dashboard, like Security Posture, or it could be nested farther down.

If you want to leverage a subset of already built dashboard panels that are already in ES and make a dashboard out of a few favorites, you can do that as well. The best way to do that in ES would be to go into the ES app, navigate to the Search drop down on the ES menu and select Dashboards. Select create new dashboard in the upper right corner and name it. It will open a dashboard that is blank, similar to what you would see in ArcSight. From there, click Add Panel and a list will appear on the right side of the screen. Expand the New from Report to leverage pre-built content from ES for panels, or Clone from Dashboard to pick specific panels from existing dashboards. Each panel would be analogous to a data monitor. If you want to create one from scratch, select New and start from there. For prebuilt content, when you select it, you will get a preview that describes the search and a button to Add to Dashboard.

Once you have the pieces you want to leverage, you can take these elements and modify them based on your specific requirements. You could change the searches to make tabular data into pie charts by adding counts, you could schedule them to run, you could add inputs on the dashboard to filter the underlying panels and clone the searches to customize them as you see fit.

Once you are ready to make this dashboard ready for viewing, you can add it to the ES menu, just like the first example, Configure->General->Navigation and drop it in where you want it seen.

Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...