Archive
Highlighted

How do you organize searches in Splunk?

Path Finder

Hello,

We have been creating a lot of searches lately, and would like a way to organize them into submenus. I tried following the documentation

http://www.splunk.com/base/Documentation/4.0.11/Developer/TieViews

But I've not had any luck (I get an error message when I go to https://<server>:<port>/en-US/servicesNS/admin/Search/data/ui/nav?refresh=1.).

The error I get is "The path was not found", with the path in the error.

I'm sure this is really easy to do, but I just don't how. Thanks in advance.

Tags (1)
Highlighted

Re: How do you organize searches in Splunk?

Super Champion

Make sure you are going to your splunkd (internal) port and not your splunkweb http port.

By default, splunkd is on port 8089. I'm also not sure about your /en-US/ at the front of the path, I think that's only for splunkweb, but I could be wrong.

I use the following path to do this on my system:

https://server.domain.com:8089/servicesNS/admin/MyApplicationName/data/ui/nav?refresh=1

Note that he application name is case-sensitive.

As Nick points out below, you can do a massive reload with the following URL: (It can take a minute to come back, so be patient)

http://server.domain.com:8000/debug/refresh

Highlighted

Re: How do you organize searches in Splunk?

SplunkTrust
SplunkTrust

btw, there's a newer and better refresh URL than that one, that refreshes all views plus the nav plus macros/savedsearches etc across all apps.. /debug/refresh

0 Karma
Highlighted

Re: How do you organize searches in Splunk?

Super Champion

Thanks for the additional info nick!

0 Karma
Highlighted

Re: How do you organize searches in Splunk?

Super Champion

@nick, I don't think savedsearches are reloaded by this. (I really wish they were, that would be a very nice feature!)

0 Karma
Highlighted

Re: How do you organize searches in Splunk?

Super Champion

It looks like saved searches now how a "_reload" endpoint too. So the debug refresh think works now as of 4.1.4 with saved searches! That's great!

0 Karma
Highlighted

Re: How do you organize searches in Splunk?

Splunk Employee
Splunk Employee

Personally I prefer to use a dev system then run 'splunk restart splunkweb'

0 Karma
Highlighted

Re: How do you organize searches in Splunk?

Motivator

There are three additional ways to reload a view as well as any navigation changes you have made in .../data/nav/ui/default.xml:

1 - Restart splunkwebservice by itself which will keep sessions authenticated, this should be transparent to your users

./splunk restartss

2 - You can make the changes via the manager (Manager > User Interface > Navigation Menus > nav name) by editing the XML there. This will instantly apply any changes you have made.

3 - Click on the splunk logo. See: http://answers.splunk.com/questions/3627/how-can-i-reload-a-view-im-editing-without-restarting-splun...

In regards to your subject line, how to organize saved searches, check out http://www.splunk.com/base/Documentation/4.0.11/Knowledge/Definenavigationforsavedsearchesandreports

You can easily nest your searches manually or based on keywords in the search names. Here is an excerpt from a .../data/nav/ui/default.xml that I have in a simple app:

<nav>
<view name="flashtimeline" default='true' />
<collection label="Dashboards">
    <view name="audio_access"/>
    <view source="unclassified" match="dashboard"/>
    <divider />
</collection>
<collection label="Views">
    <view source="unclassified" />
    <divider />
</collection>
<collection label="Searches &amp; Reports">
    <collection label="Alert Searches" >
        <saved source="unclassified" match="alert:" />
    </collection>
    <collection label="Audio Access" >
        <saved source="unclassified" match="audio" />
    </collection>
    <collection label="Network">
        <saved source="unclassified" match="network" />
    </collection>
    <collection label="Reports">
        <saved source="unclassified" match="report" />
    </collection>
    <collection label="Security">
        <saved source="unclassified" match="security" />
    </collection>
    <collection label="Systems">
        <saved source="unclassified" match="systems" />
    </collection>
    <collection label="Unclassified">
        <saved source="unclassified" />
    </collection>
    <divider />
</collection>

The match="" expression will assign searches to subfolders based on matches in the search's name.

Highlighted

Re: How do you organize searches in Splunk?

Super Champion

Out of curiosity, do you know what the "ss" in "restartss" means?

0 Karma
Highlighted

Re: How do you organize searches in Splunk?

Motivator

@Lowell I believe jrodman remarked in IRC that it might stand for special sauce or similar (my recollection is not clear on the exact phrase). Basically he wasn't sure what it meant 🙂