IntermediateLesson 5 of 9

Dashboards

Build operational Splunk dashboards with panels, tokens, drilldowns, and saved searches for real-time visibility.

Simple Explanation (ELI5)

A Splunk dashboard is a page that runs multiple searches at once and shows you all the results together. Instead of running 10 separate searches every morning, you open one page and see everything in one place — and it updates automatically.

Technical Explanation

Splunk dashboards are composed of panels, each backed by a saved search or inline SPL. Dashboards can be created via the visual editor (no XML needed) or directly in XML for full control. Dashboard Studio is the modern drag-and-drop dashboard builder with CSS-level customization. Classic dashboards use SimpleXML. Tokens enable interactivity — a dropdown controls a time range or host filter across all panels simultaneously via token substitution.

Dashboard Anatomy

Dashboard Title

Name, description, and optional time range picker at the top.

Input Controls

Dropdowns, text inputs, time pickers — set token values that filter all panels.

Panels

Each panel runs a search and renders a chart, table, single value, or map.

Drilldowns

Clicking a panel value redirects to another dashboard or search with context tokens.

Refresh

Panels auto-refresh on a schedule (30s, 1m, 5m etc.) for near-real-time ops dashboards.

Saved Search Link

Panels can reference scheduled saved searches for instant load without running queries.

Creating a Dashboard (Simple XML)

simplexml — dashboard example

<dashboard version="1.1" theme="dark">
  <label>Application Error Monitor</label>
  <description>Real-time error rates by service</description>

  <!-- Token input: filter by environment -->
  <fieldset submitButton="false">
    <input type="dropdown" token="env" searchWhenChanged="true">
      <label>Environment</label>
      <choice value="prod_app">Production</choice>
      <choice value="staging_app">Staging</choice>
      <default>prod_app</default>
    </input>
  </fieldset>

  <row>
    <!-- Single value panel: total errors -->
    <panel>
      <single>
        <title>Total Errors (Last 1h)</title>
        <search>
          <query>index=$env$ level=ERROR earliest=-1h | stats count</query>
          <earliest>-1h</earliest>
        </search>
        <option name="colorBy">value</option>
        <option name="rangeColors">["0x65ba45","0xf59e0b","0xef4444"]</option>
        <option name="rangeValues">[0,100,500]</option>
      </single>
    </panel>

    <!-- Line chart panel: errors over time -->
    <panel>
      <chart>
        <title>Error Rate Over Time</title>
        <search>
          <query>index=$env$ level=ERROR | timechart span=5m count by service</query>
          <earliest>-1h</earliest>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
  </row>

  <row>
    <!-- Table panel: top error hosts -->
    <panel>
      <table>
        <title>Top Error Hosts</title>
        <search>
          <query>index=$env$ level=ERROR
| stats count as errors by host, service
| sort -errors | head 10</query>
          <earliest>-1h</earliest>
        </search>
        <option name="drilldown">row</option>
        <drilldown>
          <link target="_blank">
            search?q=index=$env$ level=ERROR host=$row.host$&earliest=-1h
          </link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

Saved Searches for Dashboards

spl — creating a saved search

# In Splunk UI: Activity → Searches, Reports, and Alerts → New Report
# Or reference an existing named search in a panel:

<search ref="Error Rate by Service" />

# Schedule the underlying saved search to run every 5 minutes
# and cache results — dashboard panels load instantly from cache

Debugging Scenarios

Panel shows "No results": Check the panel's inline SPL by clicking the magnifying glass icon. Verify token is substituting correctly (inspect query with $tokenName$ resolved).
Token not passing between panels: Ensure the drilldown action sets the correct token name and the dependent panel references the same token in its search.
Dashboard loads slowly: Pin panels to cached saved searches scheduled at intervals. Avoid long-running inline queries with wide time ranges.
Chart type wrong: Some SPL outputs (multi-value) don't render as expected in line charts — use timechart for time-series and chart for field-based charts.

Real-world Use Case

An SRE team built a "Service Health" dashboard with a single environment token. It showed error counts (single value panel), error rate over time (line chart), regional breakdown (choropleth map), and top failing endpoints (table with drilldown to full search). The dashboard was pinned as the on-call engineer's first screen, reducing time-to-context during incidents from 10 minutes to under 60 seconds.

Interview Questions

Beginner

What is a Splunk dashboard?▾

A collection of panels that each run SPL searches and display results as charts, tables, or single values on a single page.

What is a token in a dashboard?▾

A variable set by an input control (dropdown, text box) that gets substituted into panel searches, enabling interactive filtering.

What is the difference between SimpleXML and Dashboard Studio?▾

SimpleXML is the classic XML-based dashboard format. Dashboard Studio is the modern visual editor with drag-and-drop layout and CSS styling.

What is a saved search?▾

A named SPL query that can be referenced by multiple dashboard panels, scheduled to run on a defined interval, and configured to send alerts.

How do you auto-refresh a dashboard?▾

Set the refresh attribute on the dashboard XML element or configure the auto-refresh interval in Edit Dashboard options.

Intermediate

How do drilldowns work?▾

An action defined on a panel that fires when the user clicks a row or data point — typically navigates to another dashboard or search with context tokens set from the clicked row.

How would you speed up a slow-loading dashboard?▾

Back panels with scheduled saved searches (cached results load instantly), narrow time ranges, add index/sourcetype filters, or use summary indexing for heavy aggregations.

What is summary indexing?▾

A technique where a scheduled search stores pre-aggregated results in a separate index — dashboard panels query the small summary index instead of billions of raw events.

How do you share a dashboard with a team?▾

Set the dashboard's permissions to "Shared in App" or "Shared globally" in the UI. Access is further controlled by Splunk role/capability settings.

What is the rangeColors option in a single-value panel?▾

Defines threshold-based color coding — green below X, amber between X and Y, red above Y — to give at-a-glance status.

Scenario-based

An on-call engineer needs to filter the dashboard by region. How do you build that?▾

Add a dropdown input that sets a $region$ token. Each panel's SPL includes region=$region$. When the dropdown changes, all panels re-run with the new filter.

Dashboard is accurate in the morning but wrong by afternoon. Why?▾

Likely using cached saved searches without real-time refresh. Set auto-refresh or increase the saved search schedule frequency.

Management needs a daily email with key error metrics. How?▾

Create a scheduled saved search with PDF delivery action, or use a Splunk Report scheduled to email a PDF/CSV at defined times.

You have 50 dashboard panels and performance is poor. Strategy?▾

Split into multiple targeted dashboards by audience. Back heavy panels with summary indexes. Remove unused panels and narrow time windows.

Clicking a table row should open a new search pre-filtered by that row's host value. How?▾

Add a drilldown action to the table panel: <link target="_blank">search?q=index=prod_app host=$row.host$</link>

Summary

Effective Splunk dashboards turn raw log data into operational awareness. Tokens make them interactive, drilldowns make them investigative, and scheduled saved searches make them fast. Design dashboards for the person who will use them, not for aesthetic completeness.

PreviousSearching & Querying (SPL) ← Back to Course NextAlerts