Splunk Simple XML Dashboard: A Step-by-Step Guide

Leave a Comment / By /

Building Your Splunk Simple XML Dashboard: A Comprehensive Guide

Splunk Simple XML dashboard serves as a powerful tool. This tool can unlock actionable insights by visually displaying your data. Here, we’ll walk through a user-friendly guide to building your dashboard.

Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.

How to add a Dashboard

To start, sign in to Splunk Web. This portal serves as the access point for all your Splunk functionalities, including adding Splunk Simple XML dashboard. Once logged in:
1. Click the “Home” button in the top left corner, which is the “splunk>enterprise” logo. The action will take you to the “Apps” section.
2. Click “Search & Reporting” or any other app to which you want to add a Dashboard.
3. On the top left second menu, click [Dashboards].
4. Top right corner, click [Create New Dashboard].
5. Give this dashboard name and description and select the needed permissions.
6. Select [Classic Dashboards].
7. Click [Create].
8. On the top left, find the “Edit Dashboard” label and click the [Source] button.

Understanding Splunk Simple XML

Let’s look at this Splunk Simple XML dashboard example:

<form version="1.1">
  <label>ML Model Operations</label>
  <!-- Fieldset section is responsible for getting all the data from inputs and submitting it to search -->
  <!-- submitButton="true" means that the user must click submit button to start the search -->
  <!-- "false" means that there will be no submit button, and when the user fills in the last input, the search will start -->
  <fieldset submitButton="true">
    <input type="text" token="index_name">
      <label>Index</label>
    </input>
    <input type="text" token="source_type">
      <label>Source Type</label>
    </input>
    <input type="text" token="field_names">
      <label>Field Names (separated by space)</label>
    </input>
    <!-- This html section is the easiest way to show inputs on a new row visually -->
    <html>
      <br></br>
    </html>
    <input type="radio" token="model_operation">
      <label>Model Operation</label>
      <choice value="train">Train Model</choice>
      <choice value="apply">Apply Model</choice>
      <choice value="reset">Reset Model</choice>
      <!-- The change tag to create tokens for the search panels "depends" attribute based on radio selections. There is no other way to do this since you need a token for each selection -->
      <change>
        <condition value="train">
          <set token="train_radio">true</set>
          <unset token="apply_radio"></unset>
          <unset token="reset_radio"></unset>
        </condition>
        <condition value="apply">
          <set token="apply_radio">true</set>
          <unset token="train_radio"></unset>
          <unset token="reset_radio"></unset>
        </condition>
        <condition value="reset">
          <set token="reset_radio">true</set>
          <unset token="train_radio"></unset>
          <unset token="apply_radio"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <html>
      <div class="alert alert-warning">
        <strong>Warning!</strong> Please select 'Train Model' before 'Apply Model' or 'Reset Model.'
      </div>
    </html>
  </row>
  <row>
    <panel>
      <!-- This below search table will show only in case the user selects "Train" radio -->
      <title>Train Model Results</title>
      <table depends="$train_radio$">
        <search>
          <query>index="$index_name$" sourcetype="$source_type$" earliest=-24h latest=now | fields $field_names$ | fit SVM target_variable from $field_names$ into my_svm_model</query>
        </search>
      </table>
    </panel>
    <panel>
      <title>Apply Model Results</title>
      <table depends="$apply_radio$">
        <search>
          <query>index="$index_name$" sourcetype="$source_type$" earliest=-24h latest=now | fields $field_names$ | apply my_svm_model</query>
        </search>
      </table>
    </panel>
    <panel>
      <title>Reset Model</title>
      <event depends="$reset_radio$">
        <search>
          <query>| deletemodel my_svm_model</query>
        </search>
      </event>
    </panel>
  </row>
</form>

Here is a high-level overview of the Splunk Simple XML dashboard’s elements:
The <form> element is the root element of the dashboard definition.
The <label> element sets the dashboard title to “ML Model Operations.”
The <fieldset> element defines a group of controls for the form, where submitButton=”true” means that the fieldset controls will trigger a form submission when their values change. The true value of “submitButton” will show the actual submit button of the form, and the user will need to click it to start the search. A false value will not show the button, and the search will begin when the user fills in the last input (it doesn’t matter the type).

The <input type=”text”> elements define text input fields, which have a link to specific tokens (index_name, source_type, and field_names). The user can enter text values, which these tokens will store for use in the search queries.
The <input type=”radio”> element defines a radio button group for selecting the operation performed on the ML model. There are three operations: “Train Model,” “Apply Model,” and “Reset Model.” When a button is selected, its associated token (e.g., train_radio, apply_radio, reset_radio) is set to “true,” while the tokens for the other buttons are unset.
To set a token for each radio selection, you need to use the <change>, <condition>, <set token>, and <unset> tags. Since we use the “depends” attribute of the search tables to execute different searches and show different results for each selection.

The html section <html><br></br></html> is the simplest way to add a horizontal separator since the UI won’t let you move the fields vertically as you like.
The <row> and <panel> elements define layout structures for displaying information. Each panel contains a title and a table or event that will show the results of a search query. The depends=”$…$” attribute indicates that the table or event should only be displayed when the specified token is true.

The <search> and <query> elements define which Splunk searches will run for each operation. These searches use the values of the tokens for the index name, source type, and field names. The queries use the Splunk Machine Learning Toolkit’s fit and apply commands for training and applying the SVM model and the delete command for resetting the model.

Remember that this Splunk Simple XML dashboard form requires the user to have appropriate permissions to run these Splunk commands, including access to the relevant data indices and the ability to create, apply, and delete ML models.

Lastly, a note of caution is provided to users, reminding them to ‘Train Model’ before ‘Apply Model’ or ‘Reset Model,’ as the latter two operations depend on the model being trained and available.

If you need more help with creating Splunk Simple XML dashboards, you can try Official Splunk Lexicon of Simple XML and Official Splunk Overview of Simple XML.

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.