I want to add another panel to the splunk search page. Like a chart to show all indexes and their usage. How to add to this dashboard? It doesnot show up in existing dashboards.
Below is the XML for a different approach to solving this problem. The nice thing about doing it this way is that it is formatted in a similar fashion to the Sources, Source types and Hosts tables that already appear on the page. Enjoy! (This was done with Splunk 5.0.4.)
<!-- The list of indexes-->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">| rest /services/data/indexes | fields title totalEventCount updated | rename title AS index, totalEventCount AS Count, updated AS "Last Update" | fieldformat "Last Update"=strftime(strptime('Last Update', "%Y-%m-%dT%T+%3N:%6N"), "%a %b %d %T %Y UTC") | fieldformat Count=tostring(Count, "commas") | eval index=mvfilter(match(index, "^[a-z]")) | where(index!="history") | where(index!="main") | where(index!="sos") | where(index!="sos_summary_daily") | where(index!="splunklogger") | where(index!="summary") | dedup index </param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Indexes (%(count)s)</param>
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">*</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="index">$click.value$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
Hi I just had a go at creating the kind of dashboard you wanted to create. The interesting part is at the end. The search i used to get information about the indexes ist:
| rest /services/data/indexes count=0 | chart sum(currentDBSizeMB) by title
You might have to use the splunk_server option if you have a distributed environment and only want to list indexes on specific splunk servers:
| rest /services/data/indexes count=0 splunk_server=myserver | chart sum(currentDBSizeMB) by title
<view stylesheet="dashboard2.css" template="dashboard.html">
<label>Summary</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="navigationHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="SearchBar" layoutPanel="splSearchControls-inline">
<param name="useAssistant">true</param>
<param name="useTypeahead">true</param>
<param name="useOwnSubmitButton">False</param>
<module name="TimeRangePicker">
<param name="selected">All time</param>
<param name="searchWhenChanged">False</param>
<module name="SubmitButton">
<param name="allowSoftSubmit">True</param>
<module name="ViewRedirector" layoutPanel="viewHeader">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
<!--
indexed data panels
-->
<!-- The first list of sources -->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="true">
<param name="search">| metadata type=sources | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" | table source Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Sources (%(count)s)</param>
<!-- SPL-42701. Add back in later.
<module name="PostProcessFilter">
<param name="prefixSearch">eval _raw=source</param>
-->
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">*</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="source">$click.value$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
<param name="uriParam.auto_pause">true</param>
</module>
</module>
</module>
</module>
<!--
SPL-42701. Add back in later.
</module>
-->
</module>
</module>
</module>
<module name="StaticContentSample" layoutPanel="panel_row1_col1" group="All indexed data">
<param name="text">This lists all of the data you have loaded into your default indexes. <a href="/manager/search/adddata"> Add more data</a>.</param>
<param name="groupLabel">All indexed data</param>
</module>
<!-- The list of sourcetypes AND the top panel -->
<module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">
<param name="search">| metadata type=sourcetypes | search totalCount>0 | rename totalCount as Count recentTime as "Last Update"</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
<param name="search">| stats sum(Count)</param>
<module name="SingleValue">
<param name="beforeLabel">Events indexed</param>
<param name="format">number</param>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
<param name="search">| stats min(firstTime) as min | eval min=strftime(min,"%c")</param>
<module name="SingleValue">
<param name="beforeLabel">Earliest event</param>
<param name="format">string</param>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
<param name="search">| stats max(lastTime) as max | eval max=strftime(max,"%c")</param>
<module name="SingleValue">
<param name="beforeLabel">Latest event</param>
<param name="format">string</param>
</module>
</module>
<module name="HiddenPostProcess" layoutPanel="panel_row3_col1">
<param name="search">table sourcetype Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Source types (%(count)s)</param>
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">*</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">$click.value$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
<param name="uriParam.auto_pause">true</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<!-- The list of hosts -->
<module name="HiddenSearch" layoutPanel="panel_row3_col2" autoRun="true">
<param name="search">| metadata type=hosts | search totalCount>0 | rename totalCount as Count recentTime as "Last Update" | table host Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Hosts (%(count)s)</param>
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">*</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="host">$click.value$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
<param name="uriParam.auto_pause">true</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col2" autoRun="true">
<param name="latest">now</param>
<param name="earliest">-15m</param>
<param name="search"><![CDATA[
| rest /services/data/indexes count=0 | chart sum(currentDBSizeMB) by title
]]></param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="chartTitle">Index Sizes</param>
<module name="JSChart" />
</module>
<module name="SimpleResultsHeader">
<param name="entityName">results</param>
<param name="headerFormat">Indexes (%(count)s)</param>
<module name="Paginator">
<param name="entityName">results</param>
<module name="SimpleResultsTable" />
</module>
</module>
</module>
</view>
I'm assuming you're talking about this view at
http://yourserver/en-US/manager/search/data/ui/views:
The view/dashboard is in:
$SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml
You can go to the manager in the search app click "User Interface" and then "Views" there you see the dashboard_live you can clone it or edit it directly