Day 6: Data Visualization
What You Will Learn Today
- Chart types and when to use them
- Creating dashboards
- Adding and configuring panels
- Drilldown interactions
- Simple XML basics
Chart Types
Splunk can render search results in a wide variety of chart formats, each suited to different analytical needs.
flowchart TB
subgraph Charts["Chart Types"]
Line["Line Chart<br>Time-series trends"]
Bar["Bar Chart<br>Category comparison"]
Pie["Pie Chart<br>Proportions"]
Area["Area Chart<br>Cumulative trends"]
Column["Column Chart<br>Vertical bars"]
Single["Single Value<br>KPI display"]
end
style Line fill:#3b82f6,color:#fff
style Bar fill:#22c55e,color:#fff
style Pie fill:#f59e0b,color:#fff
style Area fill:#8b5cf6,color:#fff
style Column fill:#ef4444,color:#fff
style Single fill:#3b82f6,color:#fff
| Chart Type | Use Case | Recommended SPL Command |
|---|---|---|
| Line chart | Time-series trends | timechart |
| Bar chart | Category comparison | stats ... by |
| Pie chart | Proportions | stats count by, top |
| Area chart | Cumulative trends | timechart |
| Table | Detailed listings | table |
| Single value | KPIs | stats count |
| Gauge | Threshold display | stats + single value |
| Map | Geographic data | iplocation + geostats |
Choosing the Right Chart
# Line chart - time-series trends
index=main | timechart span=1h count
# Bar chart - category comparison
index=main | stats count by host | sort -count
# Pie chart - proportions
index=main | top limit=5 sourcetype
# Single value - KPI
index=main | stats count AS total_events
Creating Dashboards
From the Web UI
- Go to Dashboards > Create New Dashboard
- Enter a dashboard name
- Choose Dashboard Studio or Classic Dashboards
- Add panels
From a Search Result
- Run a search
- Click Save As > Dashboard Panel
- Select an existing dashboard or create a new one
- Enter a panel title
Simple XML
Classic Dashboards are written in Simple XML.
Basic Structure
<dashboard>
<label>Web Server Monitor</label>
<description>Web server monitoring dashboard</description>
<row>
<panel>
<title>Total Requests</title>
<single>
<search>
<query>index=main sourcetype=access_combined | stats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</single>
</panel>
<panel>
<title>Error Rate</title>
<single>
<search>
<query>
index=main sourcetype=access_combined
| stats count(eval(status>=400)) AS errors, count AS total
| eval error_rate = round(errors/total*100, 2) . "%"
| fields error_rate
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</single>
</panel>
</row>
<row>
<panel>
<title>Requests Over Time</title>
<chart>
<search>
<query>
index=main sourcetype=access_combined
| timechart span=1h count by status
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
</chart>
</panel>
</row>
</dashboard>
Panel Types
| Tag | Description |
|---|---|
<single> |
Single value |
<chart> |
Charts (line, bar, pie, etc.) |
<table> |
Table |
<map> |
Map |
<event> |
Event list |
<html> |
Custom HTML |
Chart Options
<chart>
<search>
<query>...</query>
</search>
<!-- Chart type -->
<option name="charting.chart">line</option>
<!-- Legend placement -->
<option name="charting.legend.placement">bottom</option>
<!-- Y-axis label -->
<option name="charting.axisTitleY.text">Requests</option>
<!-- Stack mode -->
<option name="charting.chart.stackMode">stacked</option>
</chart>
| Option | Values | Description |
|---|---|---|
charting.chart |
line, bar, column, pie, area |
Chart type |
charting.chart.stackMode |
default, stacked, stacked100 |
Stack mode |
charting.legend.placement |
right, bottom, top, none |
Legend position |
Inputs
You can add input controls to dashboards so users can filter results interactively.
<dashboard>
<label>Filtered Dashboard</label>
<fieldset submitButton="true">
<!-- Text input -->
<input type="text" token="keyword">
<label>Keyword</label>
<default>*</default>
</input>
<!-- Dropdown -->
<input type="dropdown" token="selected_host">
<label>Host</label>
<choice value="*">All</choice>
<search>
<query>index=main | stats count by host | fields host</query>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<default>*</default>
</input>
<!-- Time range picker -->
<input type="time" token="time_range">
<label>Time Range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>
index=main host=$selected_host$ $keyword$
| timechart span=1h count
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
</chart>
</panel>
</row>
</dashboard>
Tokens
| Token | Description |
|---|---|
$token_name$ |
References the input value |
$time_range.earliest$ |
Start of the time input |
$time_range.latest$ |
End of the time input |
Drilldown
Drilldowns define what happens when a user clicks on a panel element.
<chart>
<search>
<query>index=main | stats count by host</query>
</search>
<drilldown>
<!-- Open a new search -->
<link target="_blank">
/app/search/search?q=index%3Dmain%20host%3D$click.value$
</link>
</drilldown>
</chart>
<!-- Navigate to another dashboard -->
<chart>
<drilldown>
<link>/app/search/host_detail?host=$click.value$</link>
</drilldown>
</chart>
| Drilldown Variable | Description |
|---|---|
$click.value$ |
The clicked value |
$click.name$ |
The clicked field name |
$row.field_name$ |
A field value from the clicked row |
Dashboard Design Best Practices
flowchart TB
subgraph Layout["Dashboard Layout"]
KPI["Top Row: KPI Panels<br>Single values"]
Trend["Middle Row: Trend Charts<br>Line / Area"]
Detail["Bottom Row: Detail Tables<br>Tables / Events"]
end
KPI --> Trend --> Detail
style KPI fill:#3b82f6,color:#fff
style Trend fill:#22c55e,color:#fff
style Detail fill:#f59e0b,color:#fff
| Guideline | Description |
|---|---|
| KPIs on top | Place key metrics at the top of the dashboard |
| 4 panels per row max | Keep layouts readable |
| Share a time filter | Use a global time picker |
| Configure drilldowns | Let users click through to details |
| Consistent colors | Maintain a unified color scheme |
Hands-On: Web Server Monitoring Dashboard
<dashboard>
<label>Web Server Monitor</label>
<fieldset submitButton="false">
<input type="time" token="time">
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<!-- KPI row -->
<row>
<panel><title>Total Requests</title>
<single>
<search>
<query>index=main sourcetype=access_combined | stats count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
</single>
</panel>
<panel><title>Unique Visitors</title>
<single>
<search>
<query>index=main sourcetype=access_combined | stats dc(clientip)</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
</single>
</panel>
<panel><title>Error Count</title>
<single>
<search>
<query>index=main sourcetype=access_combined status>=400 | stats count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
</single>
</panel>
</row>
<!-- Trend row -->
<row>
<panel><title>Requests Over Time</title>
<chart>
<search>
<query>index=main sourcetype=access_combined | timechart span=1h count by status</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.stackMode">stacked</option>
</chart>
</panel>
</row>
<!-- Detail row -->
<row>
<panel><title>Top URIs</title>
<table>
<search>
<query>index=main sourcetype=access_combined | top limit=10 uri</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
</table>
</panel>
<panel><title>Top Client IPs</title>
<table>
<search>
<query>index=main sourcetype=access_combined | top limit=10 clientip</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
</table>
</panel>
</row>
</dashboard>
Summary
| Concept | Description |
|---|---|
| Chart types | Line, bar, pie, area, table, single value |
| Dashboard | A collection of panels arranged in rows |
| Simple XML | The markup language for classic dashboards |
| Tokens | Variables that connect inputs to panel searches |
| Drilldown | Actions triggered by clicking panel elements |
Key Takeaways
- Arrange panels in a KPI > Trend > Detail hierarchy
- Share a global time filter across all panels
- Use drilldowns to let users navigate to detailed views
- Understanding Simple XML unlocks deep customization
Exercises
Exercise 1: Basic
Create a dashboard with three KPI panels: total event count, unique host count, and error count.
Exercise 2: Applied
Build a dashboard with a host dropdown filter. When a host is selected, display an event trend chart and a top URIs table for that host.
Exercise 3: Challenge
Add drilldown to a bar chart so that clicking a bar opens the detailed logs for that host in a new tab.
References
Coming up next: In Day 7, you will explore advanced search techniques including subsearches, lookups, joins, and transactions -- powerful SPL features for correlating data across multiple sources.