Dashboards

You can also execute Scanner queries to populate dashboards in Splunk. It is almost always best to use the scannertable command with dashboard queries since widgets tend to consume data in tabular format.

For example, this query computes aggregated counts of all S3 CloudTrail log events that are not GetObject. We can use it to generate a bar chart in the dashboard.

| scannertable q="%ingest.source_type: 'aws:cloudtrail' 
  and eventSource: 's3.amazonaws.com' and not eventName: 'GetObject'
  | stats by eventName"

Creating a dashboard using a Scanner custom search command

1. Navigate to Search & Reporting > Dashboards.

2. Edit a dashboard, or create a new one.

3. Click the Add chart button. Select a chart type, eg. Bar.

4. Under Select Data > Search, click Create Search

5. Under SPL Query, add a query that begins with the scannertable custom command, preceded by a vertical bar | character.

Here is an example query you might want to add to a dashboard

Compute aggregated counts of all AWS CloudTrail API events related to S3.

| scannertable q="%ingest.source_type: 'aws:cloudtrail' 
  and eventSource: 's3.amazonaws.com'
  | stats by eventName"