Splunk blog · Visualization
How to Build Splunk Dashboards: Visualization, Panels, Tokens & Best Practices
Splunk dashboards transform raw search results into visual stories that drive decision-making. Whether you are monitoring security alerts, application performance, or business KPIs, a well-designed dashboard is the difference between data and insight. This guide covers everything from Simple XML to Dashboard Studio, along with best practices for dashboards that scale.
Dashboard Types in Splunk
1. Simple XML Dashboards (Classic)
The original dashboard framework built on XML markup. It is fast to create, well-documented, and supports tokens, drilldowns, and forms. Simple XML is ideal for standard operational dashboards.
2. Dashboard Studio (Modern)
Splunk's next-generation dashboard builder with a drag-and-drop canvas, pixel-perfect layouts, and advanced visualizations. Dashboard Studio is recommended for executive dashboards, NOC/SOC screens, and any view requiring polished presentation.
Core Dashboard Concepts
Panels
Panels are the building blocks of dashboards. Each panel contains a search (inline or from a report), a visualization (chart, table, map, single value, etc.), and optional drilldowns and tokens.
Tokens
Tokens are dynamic variables that make dashboards interactive. Common uses include time range pickers ($time$), dropdown filters ($host$, $index$), and text inputs for user searches. Example: a dropdown for host changes the search in every panel:
<search>
<query>index=web host=$host$ | timechart count</query>
</search>Drilldowns
Drilldowns allow users to click a chart value and navigate to a detailed view. For example, clicking a bar in a "Top Failed Logins" chart opens a table of raw events for that user.
Building Your First Dashboard in Dashboard Studio
- Create a new dashboard: Go to Dashboards → Create New Dashboard → Dashboard Studio.
- Add a data source: Connect to an existing saved search or write an inline SPL query.
- Choose a visualization: Select from line charts, bar charts, area charts, single values, gauges, tables, maps, and custom visualizations.
- Configure the layout: Drag panels onto a responsive canvas. Set sizes, colors, and backgrounds.
- Add interactivity: Insert inputs (time range, dropdowns, text fields) and bind them to searches using tokens.
- Publish and schedule: Set refresh intervals (e.g., every 5 minutes) and share with teams.
Popular Splunk Visualizations
| Visualization | Best For | Example Use Case |
|---|---|---|
| Line/Area Chart | Time-series trends | CPU usage over 24 hours |
| Bar Chart | Comparisons | Top 10 failed login IPs |
| Pie Chart | Proportions | Alert severity distribution |
| Single Value | KPIs | Total events in the last hour |
| Gauge | Thresholds | Disk utilization percentage |
| Table | Detailed records | List of firewall blocks |
| Choropleth Map | Geographic data | Attack origins by country |
| Treemap | Hierarchical data | Event volume by department |
Dashboard Best Practices
1. Limit Searches per Dashboard
Each panel runs its own search. Too many panels = slow load times. Use base searches to share a single query across multiple panels.
2. Use Scheduled Reports for Heavy Queries
For dashboards viewed infrequently, schedule the underlying report to run every 15–30 minutes. The dashboard loads instantly from cached results.
3. Set Appropriate Time Ranges
Defaulting to "All Time" is a performance killer. Use relative time ranges like Last 24 Hours or Last 4 Hours for operational dashboards.
4. Design for the Audience
- SOC Analysts: Dense tables, color-coded severity, fast refresh.
- Executives: High-level KPIs, clean charts, minimal text.
- DevOps: Time-series charts, red/yellow/green thresholds, drilldowns to logs.
5. Use Color Strategically
Red = Critical. Yellow = Warning. Green = Normal. Consistent color coding helps viewers interpret dashboards instantly.
6. Enable Dark Mode for NOC/SOC
Dashboard Studio supports dark themes. Use them for 24/7 operations centers to reduce eye strain and improve screen readability.
Advanced Dashboard Techniques
Custom Drilldowns
<drilldown>
<link target="_blank">/app/search/search?q=index=web user=$click.value$</link>
</drilldown>Event Annotations
Overlay markers on timecharts to indicate deployments, incidents, or maintenance windows. This adds context to trends.
Custom Visualizations
Develop custom visualizations using the Splunk Visualization API (D3.js, Highcharts) for unique business needs.
FAQ
Frequently asked questions
What is the difference between Simple XML and Dashboard Studio?
Simple XML is the classic, XML-based dashboard framework. Dashboard Studio is a modern, drag-and-drop canvas with more design flexibility and better visual polish. Dashboard Studio is recommended for new dashboards.
How do I make a Splunk dashboard refresh automatically?
In Dashboard Studio, set the refresh interval in the data source settings (e.g., every 300 seconds). In Simple XML, add <refresh>300</refresh> to the <search> tag.
Can I share Splunk dashboards with non-Splunk users?
Yes. You can embed dashboards via iframe, export them as PDFs, or use Dashboard Studio's external sharing features (requires appropriate permissions).
What is a base search in Splunk dashboards?
A base search is a shared query that multiple panels reference. Instead of running the same search five times, run it once and pipe results to different visualizations. This dramatically improves dashboard performance.
How do I add a map to a Splunk dashboard?
Use the Choropleth Map visualization with geographic data (e.g., IP addresses geolocated via the iplocation command). Ensure your data includes latitude/longitude or country codes.
Conclusion
A great Splunk dashboard does more than display data; it tells a story, highlights anomalies, and guides action. By choosing the right framework (Dashboard Studio for polish, Simple XML for speed), using tokens and drilldowns for interactivity, and following performance best practices, you can build dashboards that become the command center of your operations.