Skip to main content

Adding Panels

Each visualization on a dashboard is called a panel. Panels can be arranged and resized to your liking to best represent your data.

There are 3 ways to add panels to a dashboard:

  • via the dashboard editor
  • via an ad-hoc search
  • via a saved search

Via Dashboard Editor

Let's start by adding a panel that lists the datasets available to us using the dashboard editor.

important
  1. Click the dashboard options options icon icon at the top right of the page.
  2. Click Edit.
  3. Add a panel in 1 of 2 ways:
    1. Click the Add Visualization Panel link in the center of the dashboard. This is only available on a new/empty dashboard.
    2. Click the Add toggle at the top right of the page, then click Visualization.
  4. In the Edit modal, click the Saved tab.

You'll notice here that you have the ability to add any search that you have saved to the dashboard as a panel this way. Since, we don't have a saved search yet (at least not one that we want to use here) we'll continue by adding an ad-hoc search.

important
  1. Click the New Search tab.
  2. In the Name field enter Datasets.
  3. In the query box enter: 
    dataset="$vt_datasets" id in ("cribl*", "default*")
    | project dataset=id, description
  4. Click Search.
  5. Change Type to Table.
  6. Enable the Show row numbers toggle.
  7. Click Save.
  8. Click X on Edit modal.

Now we have a list of our system's datasets. Let's continue adding more panels.

This time we are going to add a panel using the ad-hoc search method.

important
  1. Click the Search Home Search Home Icon icon in the left sidebar.
  2. In the query box enter: 
    dataset="$vt_datasets" id in ("cribl*", "default*")
    | summarize datasets=dcount(id) by provider.type
  3. Click SEARCH.
  4. Change the Type to Donut.
  5. Above the Chart settings click the Actions dropdown.
  6. Click Add to Dashboard.
  7. For the Panel title enter Datasets per Provider.
  8. Ensure Use Existing is selected and select the SBX Sample Dashboard from the dropdown list.
  9. Click Add & Go to Dashboard.

Behold! You just added a visualization to your dashboard on-the-fly. Why stop now? In the words of DJ Khaled it's time to do another one.

important
  1. Click the Search Home Search Home Icon icon in the left sidebar.
  2. In the query box enter: 
    .show objects(cribl_*, default_*)
        | eventstats type_total=sum(size) by datasetType
        | summarize size=sum(size), total=max(type_total) by dataset, datasetType
        | extend pct=round(size/total, 2)*100
        | pivot pct over dataset by datasetType
  3. Click SEARCH.
  4. Above the Chart settings click the Actions dropdown.
  5. Click Save Search.
  6. In the Name field enter Datasets by Type and Size.
  7. Click Save.

Now that we have a saved search we'll add it to our dashboard.

important
  1. Click the Saved tab above the query box.
  2. Click the saved search options options icon icon to the right of your saved search.
  3. Click Add to Dashboard.
    tip

    You can also save historic ad-hoc searches to dashboards in this same way. To do this:

    1. Click the History tab instead of the Saved tab.
    2. Click the search options options icon icon to the right of your historic search and follow the next steps as you would for a saved search.
  4. For Panel title enter Datasets by Type & Size.
  5. Ensure Use Existing is selected and select the SBX Sample Dashboard from the dropdown list.
  6. Click Add & Go to Dashboard.
tip

We just as easily could have added this saved search as a panel using the Saved tab of the dashboard's Add Visualization option as we did in the Via Dashboard Editor.

Now our saved search has been added to the end of our dashboard. By default, saved searches are added to the dashboard as an Events visualization type which, quite frankly, isn't the best for our purposes. No worries though, next we'll show how we can update the visualization of these panels directly within the dashboard and without altering our search query.