All Apps and Add-ons

Advance xml dashboard dispatches search *

pradeepkumarg
Influencer

We have been observing several searches runnning with the search string as "search *" and narrowed it down to be coming from an advance xml dashboard.

I've tried removing part by part of the dashboard and still see this remaining of the dashboard dispatching a "search *" for the selected time range. Looks like something is mis-configured here and I can not find what. Appreciate any insight any one has on this

<view autoCancelInterval="90" isPersistable="true" isSticky="true" isVisible="true" objectMode="viewconf" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="URLLoader" layoutPanel="viewHeader" autoRun="False">
    <module name="TimeRangePicker" autoRun="False">
      <param name="selected">last 4 hours</param> 
        <module name="Button">
          <param name="allowAutoSubmit">False</param>
          <param name="allowSoftSubmit">False</param>
          <param name="label">Submit</param>
          <module name="SearchControls" layoutPanel="mainSearchControls">
             <param name="sections">jobControls export info</param>
          </module>
        </module>
      </module>
   </module>
</view> 
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

In the navigation bar, go to "Key Techniques > Overview of the Advanced XML". And if you don't have such a page it most likely means you're using the extremely old LGPL version of the app and you should upgrade right away. (The current version of the app is completely free for internal use and if you have any questions just let me know)

That page is quite long, but once you read it you'll understand why this page is dispatching a search * search. In short the SearchControls module requires there to be search results. After all note that it has jobControls and an export button. The Sideview UI framework is simply noticing this, and determining that since you haven't specified anywhere what search should run, that you want it to run search *.

Note: Arguably in this kind of case it should display a big red error message instead of quietly kicking off a search * search, and since there is a giant reboot of Sideview Utils coming this year, this improvement may well happen.

View solution in original post

sideview
SplunkTrust
SplunkTrust

In the navigation bar, go to "Key Techniques > Overview of the Advanced XML". And if you don't have such a page it most likely means you're using the extremely old LGPL version of the app and you should upgrade right away. (The current version of the app is completely free for internal use and if you have any questions just let me know)

That page is quite long, but once you read it you'll understand why this page is dispatching a search * search. In short the SearchControls module requires there to be search results. After all note that it has jobControls and an export button. The Sideview UI framework is simply noticing this, and determining that since you haven't specified anywhere what search should run, that you want it to run search *.

Note: Arguably in this kind of case it should display a big red error message instead of quietly kicking off a search * search, and since there is a giant reboot of Sideview Utils coming this year, this improvement may well happen.

pradeepkumarg
Influencer

Thanks Nick..

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...