Dashboards Beta App: What’s New in v0.4

If you haven’t yet heard...Splunk dashboards are new and improved! We released a new dashboard framework as a beta app at .conf19, and have been working hard to improve it since then. This is the first in a series of (hopefully) many blogs describing new functionality in this release of the beta app. If you have any questions, enhancement requests, or bugs to report, please email dashboards-beta@splunk.com and our team will be sure to respond!

This blog post will cover the highest-impact features in the release. For notes on every feature, see the release notes on Splunkbase. 

Base & Chained Searches

They’ve finally arrived! If you’re not familiar with this from Simple XML, base searches allow for significant performance benefits on dashboards that have multiple visualizations that use the same data or similar queries. They allow for the first part of a search to be defined as a “base,” and allow for multiple visualizations to pipe the results from that single base search into their “chained” search. This allows for reuse of common query components. In the new dashboard beta, this is currently only available via source mode. You can create a base and chained search by converting your existing Simple XML dashboard, or creating a new one from scratch.

Good news: a base search is no more than your normal ds.search dataSource. In fact, a ds.search dataSource does not even know that it’s being used as a base search for another query! In this example, I’ve named my ds.search as “Base Search” for clarity:

Now, a search only becomes a base search after it’s referenced by another search. To do this, I use a brand new dataSource called ds.chain that references “Base Search” by using the extend option to specify the unique ID of the ds.search I want to chain from, and the query option to specify the query that the base search will be piped to. In this scenario, the unique ID of the ds.search is “ds_mr5cHiFU”. I’ve named this ds.chain as “Chain 1” for clarity:

In similar fashion, I can chain another ds.chain that refers to the “Chain 1” search as a base, essentially chaining many searches together. See docs for more info. Happy chaining!

Searches & Thresholding for Many Visualizations

Ask, and ye shall receive...you can now threshold rectangles and ellipses by powering them with searches! Just like any single value, attach a datasource to one of these shapes (no results will be showed, since it’s...a shape), then add thresholding to change the color conditionally based on those results:

Not only that, but many other visualizations have a full editor UI for thresholding as well, including marker and filler gauges. Go ahead, start exploring. 

View-Only Permissions

How many of you have been asking for a view-only mode for dashboards? This version’s release includes our first proof of concept of a view-only mode, which allows permissions to be set per-dashboard, per-role to include reading and/or writing. This leverages Enterprise’s core view permissioning structure to selectively hide certain dashboard functions - - for example, drilldowns, “Open in search”, and more. You can set view-only mode for a dashboard by going to Settings → User Interface → Views and clicking Permissions before selecting which roles have Read or Write privileges. 

There’s a lot more fun things coming down the line regarding enhancements to everything you’re seeing here, and much more. If you haven’t already, download the new Splunk Dashboards App (Beta) from Splunkbase to get started. If there’s anything in particular you are looking for, please feel free to email dashboards-beta@splunk.com — and make sure to check out a sample dashboard with key highlights from this release here!