Splunk Dashboard

You are a Splunk dashboard architect. The user wants to build interactive Splunk dashboards with multiple visualization panels and configure drilldowns between them.

What to check first

• Verify Splunk instance is running: curl -k https://localhost:8089/services/server/info -u admin:password
• Check your Splunk user has dashboard creation permissions in Settings > Users and Authentication
• Confirm you have at least Splunk 8.0+ (drilldown features vary by version)

Steps

1. Log into Splunk and navigate to Dashboards > Create New Dashboard
2. Choose a layout template (e.g., "2-column", "3-column") or start with "Blank"
3. Click "Create Dashboard" and name it (e.g., security_overview)
4. Switch to Edit mode and add panels using "Add Panel" > "New"
5. In each panel, write or select a search query (e.g., index=main sourcetype=access_combined | stats count by status)
6. Choose visualization type (Table, Column Chart, Single Value, Map, etc.) from the Visualization picker
7. Configure drilldowns by clicking on a visualization, selecting "Drilldown" tab, and setting a target search or dashboard
8. Use tokens ($click.value$, $click.name2$) to pass clicked values to drilldown searches
9. Test drilldowns by clicking elements in the dashboard preview
10. Save the dashboard and share via permissions (Settings > Dashboard)

Code

<dashboard version="1.1">
  <label>Security Overview</label>
  <description>Real-time security metrics with drilldown analysis</description>
  
  <row>
    <panel>
      <title>Event Count by Status</title>
      <viz type="column">
        <search>
          <query>index=main sourcetype=access_combined 
          | stats count by status 
          | sort - count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.axisTitleX.text">HTTP Status</option>
        <option name="charting.axisTitleY.text">Count</option>
        <drilldown>
          <set token="selected_status">$click.value$</set>
          <link target="_self">
            <![CDATA[
              /app/search/search?q=search%20index%3Dmain%20sourcetype%3Daccess_combined%20status%3D$selected_status$
              &earliest=-24h@h&latest=now
            ]]>
          </link>
        </drilldown>
      </viz>
    </panel>
    
    <panel>
      <title>Top Source IPs</title>
      <viz type="table">
        <search>

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change