splunk unix app


I've been tasked with setting up an application similar to the Splunk Unix app. I'm not sure where to start. I have the app created. But the main page is just the familiar Search app. How do I add content similar to what you see in the Unix app? Also, how do i change the color to black as well? I'm looking for a good starting point.


Tags (1)
0 Karma

Re: splunk unix app

Splunk Employee
Splunk Employee

You'll need this:

To be honest, at least for me, the easiest thing to do is to explore an app from the filesystem (i.e. $SPLUNKHOME/etc/apps/appname). There often isn't a ton of stuff going on in an app (well, it's not like it's thousands of lines of compiled code), and it's easiest to understand by looking at the relevant config files, views, etc. These paths are of particular interest:

  • $SPLUNKHOME/etc/apps/appname/default
  • $SPLUNKHOME/etc/apps/appname/default/data/ui/(views|nav)/*.xml
  • $SPLUNKHOME/etc/apps/appname/appserver/static

An application can have it's own stylesheet under appserver/static/application.css which would control the coloring. There's no reason why you can't take the Unix app that's on splunkbase and just tweak it to your liking -- no need to start completely fresh.


Re: splunk unix app


I totally agree with mw - you can simply make a copy of the UNIX app in a new directory under $SPLUNK_HOME/etc/apps and change it as you like. (Be sure to give it a new name in app.conf)

Every page that you see in Splunk is a view. When you create a new app from scratch, Splunk automatically sets the app's default view to the search app's view called "flashtimeline" as a starting point. Views are specified in XML; there aren't any binaries. (The Developer manual is mostly about views.)

This is good news, because you can look at the XML for any view from any app that you like - and copy, edit, and tweak it as you like. You can also copy the saved searches, dashboards, etc. There is also an XML file (called default.xml) for each app that defines the view menus - called the "nav bar." In the end, almost everything in Splunk is either in a text XML file, or a text configuration file.

So I recommend that you download a few other apps from Splunkbase, in addition to the UNIX app. There are several apps there that are just "skins" for Splunk; in combination with the css from the UNIX app, you should be able to see how to get started (if you know css). There are also some "example" apps, which are written just to show people how to build cool views in Splunk.


View solution in original post