Skip to content

Creating a Splunk Dashboard

Prerequisites:

You must configure Sophos Linux Sensor (SLS) to export alerts to Splunk. See Exporting-Alerts-to-Splunk.

Create a Splunk dashboard

Once you've configured SLS to export alerts to Splunk, you can use those alerts to build a dashboard customized as per your needs. Do as follows:

  1. Login to Splunk.

  2. Click Search.

  3. Search for the events by entering a query in the box provided as shown.

    Eample: sourcetype=access_* status=200

    Search for the events.

    Once you have the search results, this can be used to create an Alert.

  4. Click Save As and select Report.

    Select report.

    Your report has been created.

  5. Click View to see the details. You can continue editing the settings in this pop up.

    Click on View.

  6. Now that the Report is created, click Add to Dashboard.

    Click Add to Dashboard.

    Save as dashboard panel.

    Dashboard: You can create a new dashboard or add the report to an existing Dashboard.

    Dashboard ID: Unique Id. This can't be modified later.

    Dashboard Permissions: Allows you to select if you want to share the report to all the users of the application or reserve it for private viewing.

    Panel Powered By: You can select either 'Inline Search' or 'Report'. You can hover the mouse over the options to get more details on what each of these options will do.

  7. Click Save. The following message will be displayed:

    Click on Save.

  8. Click View Dashboard.

    Click on View Dashboard.

    You can modify how the data is visualized.

    You can modify how the data is visualized.

  9. Click Edit and then click Select Visualization. Hover over the items and you will be able to see a brief description on how data will be presented in each of these options.

    Hover over the items.

    For example: Selecting the Pie chart changes the dashboard view:

    Selecting the Pie chart will change the dashboard view.

    Note

    You can edit the source directly in an HTML view.

    You can edit the source directly.

  10. Click Add Input to add more controls for fine tuning the dashboard.

    You can add more controls.

    Click add input.

  11. Click Add Panel to add more panels to the dashboard. This will give you the options to add a new panel, select from existing reports, or clone from other dashboards.

    You can add more panels to the dashboard.

    For Example: Cloning another panel from existing Dashboard:

    Cloning another panel from existing Dashboard.

  12. After the changes are saved, you have the option to set this as a home dashboard.

    Set this as a home dashboard.

    This will set up the home page of the application:

    This will set up the home page.

    This can be modified anytime by Clicking the gear icon next to the title:

    Click the gear icon.

  13. Click and drag the panels to order them in the dashboard.

    Click and drag the panels.

    Reordering the panels.

    Reordering the panels.

  14. You can add search results directly to the Dashboard. Click Save As and select Dashboard Panel.

    Add the search results directly to the Dashboard.

    After this you can edit or continue adding dashboard panels as needed.