Creating a Splunk Dashboard – Capsule8

Introduction:

Once we have the alerts flowing to Splunk (https://documentation.capsule8.com/hc/en-us/articles/360048409373-Exporting-Alerts-to-Splunk) we can use those alerts to build a dashboard customized as per the user needs

Click on the Search tab

Search for the events by entering a query in the box provided as shown

For ex: sourcetype=access_* status=200

Once you have the search results, this can be used to create an Alert.

Click on the ‘Save As” drop down and select ‘Report’

Click on View to see the details or you can continue editing the settings in this pop up.

Now that the Report is created, you can add it to the dashboard by clicking the link “Add to Dashboard”

Dashboard: You can create a new dashboard or add the report to an existing Dashboard

Dashboard ID: Unique Id. This cannot be modified later

Dashboard Permissions: Allows you to select if you want to share the report to all the users of the application or reserve it for private viewing

Panel Powered By: You can select either ‘Inline Search’ or ‘Report’. You can hover the mouse over the options to get more details on what each of these options will do.

Click on Save and a message will be displayed as below

Click on View Dashboard

You can modify how the data is visualized.

Click on the ‘Edit’ button and then click on ‘Select Visualization. Hover over the items and you will be able to see a brief description on how data will be presented in each of these options.

For ex: Selecting the Pie chart will change the dashboard view as below

Please note that yon can edit the source directly which will be open an HTML view

You can add more controls to finetune the dashboard using ‘Add Input’

You can add more panels to the dashboard using ‘Add Panel’ which will give you the options to add a new panel or select from existing reports or close from other dashboards