Getting Started with Splunk Dashboards

Splunk is a leading platform for searching, monitoring, and analyzing logs across IT tools and systems. Well-known for its ability to handle vast volumes of log and event data, Splunk empowers organizations to gain real-time visibility into their systems and operations. However, while Splunk offers rich telemetry and analytics, its dashboards can sometimes become complex - making it difficult to surface the most critical insights quickly.

That’s where SquaredUp can elevate the experience. Without actually ingesting the data from various sources into Splunk - essentially duplicating it - with SquaredUp you can go straight to the source to get data and build dashboards.

In this article, we’ll explore how easy it is to connect Splunk Enterprise data to SquaredUp and build focused, actionable dashboards that help teams detect issues faster, make smarter decisions, and communicate insights more effectively.

Deploying the data source

Connecting to your Splunk instance is straightforward. All you need is the base URI for accessing Splunk, most commonly in the format https://<splunk-server>:<port> and the API token that has read-only access to this API. All the instructions on how to obtain this can be found in the in-product documentation for quick access.

If your Splunk implementation is on-prem, the only additional component you need is a SquaredUp relay agent - a small piece of code that helps securely connect your on-prem network with SquaredUp and send data over a secure connection.

Exploring the out-of-the-box dashboards

The Splunk data source comes with one out-of-the-box dashboard - Events and infrastructure.

Mainly to demonstrate how the data streams are used, this dashboard also contains some high-level overview of the data ingestion in Splunk.

This dashboard contains high level charts of error events segregated by different properties like the source of the event, the index it was ingested in and by the host the event was raised in.

It is also giving us some other data like the size of each index database and the data ingestion volume throughput.

However, as we know, the data of real value is the ingested data itself, which can be queried using the query language. In the next section we will do exactly that and create some useful dashboards of our own.

Creating your own dashboards

It is incredibly easy to get started. Hit the + button on a new dashboard to create a tile. You'll be greeted with this screen:

This screen lists out the other data sources you've got installed in your workspace, as well as a list of data streams you've recently used. Let’s select the Splunk data source that we just deployed.

We have 3 data streams to choose from. Two of them - SPL query (global) and (local) - allow you to run an SPL query either at the org level or at the object level that you will select in parameters.

The Reports data stream lets you choose a report that you may have saved in Splunk that runs a query specified every time you run it. In this example, we will use the same.

Clicking on the Reports data streams will open up a screen where you can choose from the list of reports.

I will select one of the reports and you will notice the data already starting to flow in.

On the next screens - Shaping and Columns, you can perform some basic data filtering, sorting, formatting, etc. In addition, if you’re looking for more advanced data manipulation, turn on SQL Analytics that gives you the ability to work on the data using SQL queries. I will add all the threats detected at various times in the last 24 hours and output the total.

Next steps - Monitoring and notifications

SquaredUp monitoring lets you easily convert any dashboard tile into an alert, so you'll know right away when something changes. Let's set it up now.

I'll set up monitoring for when the latest value of this metric crosses a threshold.

Switch over to the Monitoring tab on the right and turn it on. Here you can set up your alert rules using the available configuration options.

With the criteria I’ve set, the tile will turn red when the total number of threats crosses a threshold of 1000.

Beyond viewing alerts in SquaredUp, I can also set up notifications to instantly alert me whenever something needs my attention. They can be sent as an email, as an IM message, or forwarded over to any automation workflows.

If the monitor triggers, we can receive a notification by email, Slack, Teams or via any system that supports webhooks. Read our docs to learn more about monitoring.

Sharing

Sharing is very simple in SquaredUp. We just hit the Share button and have the option of inviting a user to the workspace, or sharing just the dashboard via a link:

Get started with SquaredUp

From this point on, you can try out different data streams and queries to create dashboard of your dreams. In addition, we also have other plugins including Azure, SCOM, Azure DevOps, VMWare and many others.

SquaredUp’s smarter dashboards help engineering, product, and IT teams make better decisions through a deeper understanding of their data. Visualize and monitor any data from any tool, all in one place. Sign up for free now!