Hello,
We have been creating a lot of searches lately, and would like a way to organize them into submenus. I tried following the documentation
http://www.splunk.com/base/Documentation/4.0.11/Developer/TieViews
But I've not had any luck (I get an error message when I go to https://<server>:<port>/en-US/servicesNS/admin/Search/data/ui/nav?refresh=1
.).
The error I get is "The path was not found", with the path in the error.
I'm sure this is really easy to do, but I just don't how. Thanks in advance.
In regards to your comment, there is a current limitation in Splunk that will let you nest menus only two levels deep. See: http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open/5641#5641
There are three additional ways to reload a view as well as any navigation changes you have made in .../data/nav/ui/default.xml:
1 - Restart splunkwebservice by itself which will keep sessions authenticated, this should be transparent to your users
./splunk restartss
2 - You can make the changes via the manager (Manager > User Interface > Navigation Menus > nav name) by editing the XML there. This will instantly apply any changes you have made.
3 - Click on the splunk logo. See: http://answers.splunk.com/questions/3627/how-can-i-reload-a-view-im-editing-without-restarting-splun...
In regards to your subject line, how to organize saved searches, check out http://www.splunk.com/base/Documentation/4.0.11/Knowledge/Definenavigationforsavedsearchesandreports
You can easily nest your searches manually or based on keywords in the search names. Here is an excerpt from a .../data/nav/ui/default.xml that I have in a simple app:
<nav>
<view name="flashtimeline" default='true' />
<collection label="Dashboards">
<view name="audio_access"/>
<view source="unclassified" match="dashboard"/>
<divider />
</collection>
<collection label="Views">
<view source="unclassified" />
<divider />
</collection>
<collection label="Searches & Reports">
<collection label="Alert Searches" >
<saved source="unclassified" match="alert:" />
</collection>
<collection label="Audio Access" >
<saved source="unclassified" match="audio" />
</collection>
<collection label="Network">
<saved source="unclassified" match="network" />
</collection>
<collection label="Reports">
<saved source="unclassified" match="report" />
</collection>
<collection label="Security">
<saved source="unclassified" match="security" />
</collection>
<collection label="Systems">
<saved source="unclassified" match="systems" />
</collection>
<collection label="Unclassified">
<saved source="unclassified" />
</collection>
<divider />
</collection>
The match="" expression will assign searches to subfolders based on matches in the search's name.
In regards to your comment, there is a current limitation in Splunk that will let you nest menus only two levels deep. See:
http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open/5641#5641
Thanks for the help! I don't seem able to add a multi-nested search though. In other words, I'd like to use, say, Searches > Security > VPN > results. Here's the config I've tried with no luck:
That just nets me the menus with no searches 😞
@Lowell I believe jrodman remarked in IRC that it might stand for special sauce or similar (my recollection is not clear on the exact phrase). Basically he wasn't sure what it meant 🙂
Out of curiosity, do you know what the "ss" in "restartss" means?
Personally I prefer to use a dev system then run 'splunk restart splunkweb'
Make sure you are going to your splunkd
(internal) port and not your splunkweb
http port.
By default, splunkd
is on port 8089. I'm also not sure about your /en-US/
at the front of the path, I think that's only for splunkweb, but I could be wrong.
I use the following path to do this on my system:
https://server.domain.com:8089/servicesNS/admin/MyApplicationName/data/ui/nav?refresh=1
Note that he application name is case-sensitive.
As Nick points out below, you can do a massive reload with the following URL: (It can take a minute to come back, so be patient)
It looks like saved searches now how a "_reload" endpoint too. So the debug refresh think works now as of 4.1.4 with saved searches! That's great!
@nick, I don't think savedsearches are reloaded by this. (I really wish they were, that would be a very nice feature!)
Thanks for the additional info nick!
btw, there's a newer and better refresh URL than that one, that refreshes all views plus the nav plus macros/savedsearches etc across all apps..