SPLK-1004 Customizing Dashboards

Customizing Dashboards Detailed Explanation

1. Dashboard Types

Splunk provides two primary frameworks for creating dashboards, each with its own strengths.

a) Classic Dashboards (Simple XML)

• Built using Simple XML

• Text-based configuration

• Supports:

  • Panels (tables, charts, single values)

  • Form inputs

  • Base and post-processing searches

• Easy to export and version-control

• Ideal for basic to moderately complex dashboards

b) Dashboard Studio

• Visual, drag-and-drop editor introduced in newer Splunk versions

• Allows custom layouts, images, shapes, text boxes, and absolute positioning

• Supports dynamic behavior without requiring custom code

• Recommended for:

  • Executive dashboards

  • Custom branding

  • Enhanced interactivity and layout control

Note: Studio dashboards do not yet support post-process searches as Classic XML does.

2. Custom Features

Customizing a dashboard isn't just about how it looks—it's also about how it behaves. Below are the most common features used to enhance functionality.

a) Drilldowns

Drilldowns allow users to click on a visualization (e.g., a bar or table row) and trigger actions such as:

• Filtering another panel

• Opening a different dashboard

• Running a search with a clicked value

Example Use Case: Clicking on a row in a table showing host="web01" could open another dashboard that shows all logs from web01.

b) Form Tokens

Inputs like drop-downs, text boxes, or time pickers set tokens that are used in search queries and titles dynamically.

Example:

<query>index=web status=$status$</query>

Tokens also enable advanced logic, such as hiding panels or updating other inputs based on selections.

c) Conditional Formatting

You can apply color logic and icons based on the values in a panel, especially in table or single-value visualizations.

Examples:

• Green for success, red for failure

• Arrow icons for trending values

• Gradient color ranges for numerical KPIs

Implemented using:

• eval fields to tag severity

• Conditional range formatting in Classic XML or Studio editor

d) Dynamic Panels

You can show or hide dashboard panels based on:

• Input values

• Search results

• Token conditions

Example:

<depends token="show_advanced">true</depends>

This technique makes dashboards more interactive and user-focused, allowing non-technical users to explore data progressively.

3. Styling

Visual appeal and branding can greatly increase dashboard usability and user satisfaction. Splunk provides ways to go beyond the default theme.

a) HTML/CSS Embedding (Classic Dashboards)

Classic dashboards support HTML panels and inline CSS to:

• Format titles

• Embed links

• Adjust colors and fonts

Example:

<html>
  <h2 style="color:darkblue;">Web Application Performance</h2>
</html>

b) Custom Icons and Labels

You can:

• Use icons (e.g., checkmarks, warning signs) for visual cues

• Add custom labels for clarity

• Leverage images and logos for branding

In Dashboard Studio, these are supported natively through UI widgets.

c) Layout Grids (Dashboard Studio)

Dashboard Studio offers:

• Absolute positioning: Place elements anywhere

• Grid-based layout: Align panels in rows/columns

• Custom spacing, background colors, and section headers

These layout features support more advanced and responsive dashboard designs.

Summary Table: Dashboard Customization Features

Feature	Description
Classic Dashboards	XML-based, supports base searches and post-processing
Dashboard Studio	Visual editor for enhanced layout and styling
Drilldowns	Clickable charts/tables to trigger actions or filter panels
Form Tokens	Dynamic tokens that control searches and panels
Conditional Formatting	Colors, icons, and thresholds based on field values
Dynamic Panels	Show/hide content based on user input or token state
Styling	Custom HTML, CSS, icons, layout grids, and visual branding

Customizing Dashboards (Additional Content)

1. Token Lifecycle and Behavior (Classic Dashboards)

In Classic Dashboards (Simple XML), token behavior is central to dynamic interaction. Understanding token lifecycle is critical for predictable and controlled dashboard logic.

Token States:

• Default Token: Set using the <default> tag inside input definitions. It initializes the dashboard.

• Submitted Token: This state is activated only when the submit button is clicked (if used). Until submission, panels relying on token input will not update.

• Unset Token: A token that has not been initialized or has been explicitly cleared. Panels relying on it will not render unless otherwise handled.

Key Tags:

• <submit />: Adds a submit button; tokens are only passed when the user clicks "Submit".

• <rejects>: Prevents panels from rendering when a certain token is set to a specific value.

• <depends>: Only shows a panel when a given token is set.

Example:

<fieldset submitButton="true">
  <input type="dropdown" token="service_type">
    <label>Select Service</label>
    <default>all</default>
    <choice value="web">Web</choice>
    <choice value="db">Database</choice>
  </input>
</fieldset>

<panel rejects="service_type">
  <title>Choose a Service First</title>
</panel>

This configuration blocks the panel until the user makes a selection and submits it.

2. Drilldown Modes

Drilldowns allow interactive dashboards, and knowing their modes helps clarify design decisions and token behavior.

Types of Drilldown Actions:

• Link to Search: Opens the Search app in a new tab with the clicked value pre-populated.

• Link to Another Dashboard: Navigates to a second dashboard and passes tokens via URL (form.token=value).

• Set Token in Place: Applies a token to the current dashboard context. Typically used for filtering in-page panels.

Example – In-Page Token Filtering:

<drilldown>
  <set token="selected_host">$row.host$</set>
</drilldown>

Paired with:

<panel depends="$selected_host$">
  <title>Details for $selected_host$</title>
</panel>

This creates an in-page interaction where clicking a row filters the panel below.

3. Token Value Visualization (Token Echoing)

To improve user awareness and UI transparency, you can echo the current token values back to the screen. This is helpful for debugging or reinforcing user confidence.

Example:

<panel>
  <html>
    <h3>Currently Viewing: $status$</h3>
  </html>
</panel>

This simple HTML panel dynamically reflects the user's current filter choice.

4. Performance Implications of Custom Features

Customization increases functionality but can degrade dashboard performance if not handled carefully.

Common Performance Considerations:

• Token-driven panels and dynamic filters increase complexity and may slow loading if not well-scoped.

• Excessive use of base searches can cause search concurrency limits to be reached, delaying other panels.

• Uncontrolled time ranges in default searches can scan large volumes of data unnecessarily.

Best Practices:

• Use Search Job Inspector to identify panels with long execution times.

• Consider using summary indexing or report acceleration for heavy logic.

• Set default values and scoped time ranges to prevent unnecessary data loads.

5. Accessibility and Mobile Responsiveness

Although not a major exam topic, it’s important in real-world deployments—especially for executive or field-use dashboards.

Key Points:

• Dashboard Studio offers responsive layouts that adapt well to mobile devices.

• Use grid layouts and relative positioning to ensure visual consistency across screen sizes.

• Avoid hardcoded widths or heights in HTML that break on smaller screens.

Conclusion:

Customizing dashboards in Splunk is more than aesthetic—it involves structural, behavioral, and performance-focused design. Mastering the lifecycle of tokens, understanding drilldown types, managing visual echoing, and optimizing for performance and responsiveness are all essential for both effective exam performance and real-world solution delivery.