How to Create Effective Dashboards in Splunk
While there might be a lot of data in your Splunk server(s), it’s useless if you can’t get valuable information from Splunk. One way to get value from data is by using dashboards.
In Splunk, you can easily create dashboards that look amazing. But you have to be careful to not give too much information to the users, which might make them feel overwhelmed by all of the data.
What you see in a dashboard has to be easy to digest and understandable at first sight. The purpose of a dashboard is to answer questions, not make users ask more questions like “What’s this about? Why there are so many visualizations? Do I need to take a look at that graph?”
In Splunk, there are a lot of options for creating a dashboard. For instance, you have several visualization types, forms, fields, filters, colors, and drill-down options.
So how can you create an effective dashboard? Well, you’ve come to the right place. Let me give you a few Splunk dashboard examples.
Build an Appropriate Search Query
It all starts with a good search query. The first thing you need to do is to think about the user, rather than the data itself.
What will users ask, and what are they expecting to get? How familiar are users with the data? Do you need to complement the data with a pivot table? What type of visualizations will help the users best?
You’ll build the appropriate query based on these questions. For example, some visualization types need the data in a particular format, like a table with two columns.
Moreover, a search query needs to return data fast. There are a few general recommendations, such as:
- Avoid using NOT expressions.
- Don’t use wildcards.
- Use transforming commands in the correct order.
A search query has to be specific—the more field names you use, the better. Also, when you use field names, you can use variables and make the search queries reusable. We’ll talk more about this later. You can take a look at Splunk’s official docs to learn more on how to create better queries.
Organize Layout and Interactions
When users land on a dashboard page, they should be able to follow a workflow when looking at the screen. That means that each dashboard should have a story, so to speak.
Work with users and ask them questions. For example, you might ask what the first thing they would like to see on the dashboard is.
Let’s say we’re talking about a website. The first thing they might want to see is the website’s error hits. Then, users might want to know the latency numbers, then the CPU of the servers, and so on.
Another recommendation would be to make effective use of the white spaces on the screen. Don’t leave any white space on the screen—make the dashboard look organized.
Add all the context users will need, especially if it’s the first time they’ll be looking at the dashboard. Context should be balanced, so the names you put on the labels should be accurate and not generated automatically.
Avoid making the user scroll down to get more information. If that happens, that might be because the information they need is not at the beginning. Or maybe there’s information that’s no longer needed.
Remember, a good dashboard is the one that helps answer questions. Reduce noise.
Choose the Right Visualization
You might want to explore all the visualization types you have available in Splunk before choosing one.
For example, a traditional pie chart will give you better insights when you see that there are five thousand errors. Maybe the traffic has increased, and the percent of errors is still low.
Another use case is when you want to include the average latency for websites. In this case, you’ll use a single value type. You can customize the colors to simulate a semaphore, add percentage or money symbols, and labels.
Another excellent visualization is the gauge type, which allows you to simulate a semaphore or a thermostat.
You can even have a map visualization to answer questions quickly by only looking at the graph. By default, you have a map for the United States, but you can create your own as well.
When you decide which visualization types you’ll use, make sure you have the appropriate search query because not all types need the data in the same format.
A useful feature in Splunk is that when you run a search, you can have a list of recommended visualization types in case you don’t know which one to use.
Use Forms, Fields, and Filters
One of the most useful features in Splunk is the ability to play around with all panels within a dashboard. In case you didn’t know, you can add fields to the dashboard for filtering the results. Splunk calls this feature forms.
In a dashboard, you can include as many fields as you want. For example, you can include the time ranges type, or you can include a drop-down type with either static or dynamic data from another search query.
For instance, if you’re collecting data from landing pages in your site, you can create a search query to get all the different landing page names and use it as a filter in a drop-down. And you won’t have to modify the drop-down every time a new landing page is added.
Once you have fields in the dashboard, you can use those values that the user will select as parameters to a search query that panels are using. Splunk calls the values from these fields tokens.
When using fields, you’re helping the search queries to be more specific. But be careful with the defaults for fields, as they will be the first values the dashboard will use to show visualizations.
Use Drilldowns to Extend the Workflow
Remember that I said previously to make effective use of the space you have?
Well, in case users want more details from a visualization, you don’t have to add more panels to the dashboard. When displaying dashboards on a screen in the office, you don’t want to scroll down or right to see more.
So, what you can do is extend the interaction workflow by adding drill-downs to dashboards. Along with forms, drill-downs are what make your dashboards feel alive.
What’s a drill-down, you ask? It’s merely a link functionality when users click on a data point, a table, a row, or something in a visualization that provides a value.
That value can be used to open a new dashboard, a new search query, or even an external URL. The purpose is to give users the ability to get more insights and deep dive into the data to get more information.
Keep Your Dashboards Healthy
Lastly, please make sure to evaluate from time to time which dashboards you’re using and which you’re not. The fewer dashboards you have, the better off you might be, especially when you’re troubleshooting. Make sure you name your dashboards well early on, as this will help you troubleshoot and identify unnecessary dashboards later. You don’t want your users to waste time trying to find what they need to answer their questions when the dashboard should be organized so that the answers are readily apparent.
Moreover, you can keep the house clean by deleting dashboards that are no longer useful or valid. Ask your users for feedback. Maybe you’ll find out that they end up clicking a lot before they get what they need.
An effective dashboard is one that runs quickly, gives you the information you need at first sight, and helps you navigate through the data with forms, fields, and drill-downs.
And most importantly, don’t create dashboards by yourself. Your users’ feedback is crucial for effectiveness.
Splunk Boot Camp
Browse Course
