Add panel to search home page dashboard

pdash · ‎01-25-2013

I want to add another panel to the splunk search page. Like a chart to show all indexes and their usage. How to add to this dashboard? It doesnot show up in existing dashboards.

DonD3 · ‎02-02-2014

Below is the XML for a different approach to solving this problem. The nice thing about doing it this way is that it is formatted in a similar fashion to the Sources, Source types and Hosts tables that already appear on the page. Enjoy! (This was done with Splunk 5.0.4.)

    <!-- The list of indexes-->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">| rest /services/data/indexes | fields title totalEventCount updated | rename title AS index, totalEventCount AS Count, updated AS "Last Update" | fieldformat "Last Update"=strftime(strptime('Last Update', "%Y-%m-%dT%T+%3N:%6N"), "%a %b %d %T %Y UTC") | fieldformat Count=tostring(Count, "commas") | eval index=mvfilter(match(index, "^[a-z]")) | where(index!="history") | where(index!="main") | where(index!="sos") | where(index!="sos_summary_daily") | where(index!="splunklogger") | where(index!="summary") | dedup index </param>
   <module name="SimpleResultsHeader">
      <param name="entityName">results</param>
      <param name="headerFormat">Indexes (%(count)s)</param>
      <module name="Paginator">
        <param name="entityName">results</param>
        <param name="maxPages">10</param>
        <module name="SimpleResultsTable">
          <param name="entityName">results</param>
          <param name="drilldown">row</param>
          <module name="HiddenSearch">
            <param name="search">*</param>
            <module name="ConvertToIntention">
              <param name="intention">
                <param name="name">addterm</param>
                <param name="arg">
                  <param name="index">$click.value$</param>
                </param>
              </param>
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>

chris · ‎01-25-2013

Hi I just had a go at creating the kind of dashboard you wanted to create. The interesting part is at the end. The search i used to get information about the indexes ist:

| rest /services/data/indexes count=0  | chart sum(currentDBSizeMB) by title

You might have to use the splunk_server option if you have a distributed environment and only want to list indexes on specific splunk servers:

| rest /services/data/indexes count=0  splunk_server=myserver | chart sum(currentDBSizeMB) by title



<view stylesheet="dashboard2.css" template="dashboard.html">
  <label>Summary</label>

  <module name="AccountBar" layoutPanel="appHeader" />

  <module name="AppBar" layoutPanel="navigationHeader" />

  <module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
  </module>

  <module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="SearchBar" layoutPanel="splSearchControls-inline">
<param name="useAssistant">true</param>
<param name="useTypeahead">true</param>
<param name="useOwnSubmitButton">False</param>

<module name="TimeRangePicker">
  <param name="selected">All time</param>
  <param name="searchWhenChanged">False</param>

  <module name="SubmitButton">
    <param name="allowSoftSubmit">True</param>

    <module name="ViewRedirector" layoutPanel="viewHeader">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>
  </module>
  <!--
indexed data panels
-->
  <!-- The first list of sources -->

  <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="true">
<param name="search">| metadata type=sources | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update" | table source Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Sources (%(count)s)</param>
  <!-- SPL-42701.  Add back in later.






<module name="PostProcessFilter">
<param name="prefixSearch">eval _raw=source</param>
-->

  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="maxPages">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="drilldown">row</param>

      <module name="HiddenSearch">
    <param name="search">*</param>

    <module name="ConvertToIntention">
      <param name="intention">
        <param name="name">addterm</param>
        <param name="arg">
          <param name="source">$click.value$</param>
        </param>
      </param>

      <module name="ViewRedirector">
        <param name="viewTarget">flashtimeline</param>
        <param name="uriParam.auto_pause">true</param>
      </module>
    </module>
      </module>
    </module>
    <!--
SPL-42701.  Add back in later.
</module>
-->
  </module>
</module>
  </module>

  <module name="StaticContentSample" layoutPanel="panel_row1_col1" group="All indexed data">
<param name="text">This lists all of the data you have loaded into your default indexes. &lt;a href="/manager/search/adddata"&gt; Add more data&lt;/a&gt;.</param>
<param name="groupLabel">All indexed data</param>
  </module>
  <!-- The list of sourcetypes AND the top panel -->

  <module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">
<param name="search">| metadata type=sourcetypes | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update"</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats sum(Count)</param>

  <module name="SingleValue">
    <param name="beforeLabel">Events indexed</param>
    <param name="format">number</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats min(firstTime) as min | eval min=strftime(min,"%c")</param>

  <module name="SingleValue">
    <param name="beforeLabel">Earliest event</param>
    <param name="format">string</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats max(lastTime) as max | eval max=strftime(max,"%c")</param>

  <module name="SingleValue">
    <param name="beforeLabel">Latest event</param>
    <param name="format">string</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row3_col1">
  <param name="search">table sourcetype Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>

  <module name="SimpleResultsHeader">
    <param name="entityName">results</param>
    <param name="headerFormat">Source types (%(count)s)</param>

    <module name="Paginator">
      <param name="entityName">results</param>
      <param name="maxPages">10</param>

      <module name="SimpleResultsTable">
    <param name="entityName">results</param>
    <param name="drilldown">row</param>

    <module name="HiddenSearch">
      <param name="search">*</param>

      <module name="ConvertToIntention">
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
        <param name="sourcetype">$click.value$</param>
          </param>
        </param>

        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
          <param name="uriParam.auto_pause">true</param>
        </module>
      </module>
    </module>
      </module>
    </module>
  </module>
</module>
  </module>
  <!-- The list of hosts -->

  <module name="HiddenSearch" layoutPanel="panel_row3_col2" autoRun="true">
<param name="search">| metadata type=hosts | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update" | table host Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Hosts (%(count)s)</param>

  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="maxPages">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="drilldown">row</param>

      <module name="HiddenSearch">
    <param name="search">*</param>

    <module name="ConvertToIntention">
      <param name="intention">
        <param name="name">addterm</param>
        <param name="arg">
          <param name="host">$click.value$</param>
        </param>
      </param>

      <module name="ViewRedirector">
        <param name="viewTarget">flashtimeline</param>
        <param name="uriParam.auto_pause">true</param>
      </module>
    </module>
      </module>
    </module>
  </module>
</module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row1_col2" autoRun="true">
<param name="latest">now</param>
<param name="earliest">-15m</param>
<param name="search"><![CDATA[
| rest /services/data/indexes count=0  | chart sum(currentDBSizeMB) by title
]]></param>

<module name="HiddenChartFormatter">
  <param name="chart">pie</param>
  <param name="chartTitle">Index Sizes</param>

  <module name="JSChart" />
</module>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Indexes (%(count)s)</param>

  <module name="Paginator">
    <param name="entityName">results</param>

    <module name="SimpleResultsTable" />
  </module>
</module>
  </module>
</view>

chris · ‎01-25-2013

I'm assuming you're talking about this view at
http://yourserver/en-US/manager/search/data/ui/views:

The view/dashboard is in:
$SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml

You can go to the manager in the search app click "User Interface" and then "Views" there you see the dashboard_live you can clone it or edit it directly

Add panel to search home page dashboard

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes