Introduction

One of the most powerful things to do with data is to visualize it. Being able to see the data in various contexts can help executives and security professionals alike understand their cyber environment better and identify their strengths and weaknesses. Dashboards in Splunk are fairly easy to make but sometimes you may not always know how to get started. 

For this tutorial, we are using fake data generated from a Splunkbase app called Eventgen (https://splunkbase.splunk.com/app/1924). It provides 5 sourcetypes that are similar to actual sourcetypes you may have in your environment. The sample “messagetrace” data provides generated logs of email information. Analyzing the email in your organization is smart for security purposes and can provide insights on email behavior, phishing attacks, and spam rates. 

This is how your data might look in a search after you have onboarded it into Splunk.

The first step toward building a dashboard is to look at your data and see what fields are available. Sometimes all the fields you need are already extracted. Other times you may need to add more field extractions or create calculated fields so that you are able to search for the information that you want. For this tutorial, we want to analyze all of the statuses for these emails and make sure that we are blocking what should be blocked and delivering what should be delivered. If not, we might need to examine our email filtering. 

These are some of the fields that look like the kind of information we want to have in our dashboard.

Panel 1: Email Overview

We can get an overview of our email delivery by doing a simple stats search and counting the Statuses, like this:

Next we will take a look at the potential Visualizations that we can use. Click on the Visualization tab. It defaults to “Column Chart”. Click on the name of the visualization and more options will pop up. This is where you can select a different visualization.

A pie chart might be a great way to visualize this particular data, so select the pie chart. Now it is ready to add to a dashboard. To do this, click on the Save As button at the top and choose New Dashboard from the drop-down. 

Then create a Dashboard Title (let’s use “Email Analysis”), an optional Description, your sharing permissions, and type. Classic Dashboards are simple visualizations, so that is what we are going to choose. Give the panel a title of Email Overview, then click Save To Dashboard. 

Choose “New Dashboard” since we don’t already have one made. Next time we would choose “Existing Dashboard” and search for the dashboard name.

Panel 2: Email Status Timechart

In this panel, we can get an overview of when the most emails are delivered or blocked. This search uses the timechart command which looks great with the Line Chart Visualization. Timecharts are helpful because timecharts can show patterns that might occur during certain times of the day. Select the Line Chart visualization, Save As to an Existing Dashboard, and call the panel “Email Status Timechart”.

Now we have a timechart of the email statuses.

Edit the Dashboard

Now that we have two panels, we should edit the dashboard. Go to the dashboard and click on the Edit button. There are two ways to edit: the UI or the Source (XML code). For this tutorial, we will just edit in the UI, which is the user interface. 

The panels are currently stacked on top of each other, but we can move them to be next to each other instead. Place your mouse pointer over the double dotted lines and drag the bottom panel upward next to the top panel. Then click Save.. TA DA! The dashboard has been edited!

The dashboard panels are now next to each other.

Other ways to edit the dashboard include adding a time range picker and input dropdowns, but we are not covering that today. You can use inputs to make dashboards more dynamic and filter information as needed.

Add More Panels

Try some of the searches below and add more panels. If your data does not have this exact information, replace the index, sourcetype, and fields with the names of the relevant data points found in your data. Then try to find a visualization that works for it. You can also leave it as a table in your dashboard.