Dashboards & Visualizations

Change Default Flashtimeline display (Events List to Events Table)

jasonhblackwell
Explorer

When preforming a search the default behavior seems to be to display the events in "Events List". I was wondering if there was a way to make the default behavior "Events Table" other than having to click the "Events Table" button after preforming a search.

1 Solution

jasonhblackwell
Explorer

Thank you for the information nick. It got me in the right spot but it did not solve my issue. It did change where the buttons were located though but it would still choose "Events List" What did solve it was the <param name="selected"> underneath <module name="ButtonSwitcher" layoutPanel="pageControls">

Changing it from:

<param name="selected">splIcon-events-list</param>

to

<param name="selected">splIcon-events-table</param>

Made the default behavior change to "Events Table".

Thank again for pointing me in the right direction!

View solution in original post

0 Karma

jasonhblackwell
Explorer

Thank you for the information nick. It got me in the right spot but it did not solve my issue. It did change where the buttons were located though but it would still choose "Events List" What did solve it was the <param name="selected"> underneath <module name="ButtonSwitcher" layoutPanel="pageControls">

Changing it from:

<param name="selected">splIcon-events-list</param>

to

<param name="selected">splIcon-events-table</param>

Made the default behavior change to "Events Table".

Thank again for pointing me in the right direction!

0 Karma

sideview
SplunkTrust
SplunkTrust

Sure. Go to manager, User interface, Views.
I would clone the 'flashtimeline' view into 'flashtimeline_backup' before making any changes.

Some will read that and think it's unnecessary; changes made in manager will layer safely on top of the 'real' flashtimeline view, just like all Splunk conf-system changes. but explicitly backing up in manager is nice because if (when) you screw up the XML you can just restore from a backed up version without even leaving manager.

Anyway, then edit the flashtimeline view. More properly, grab the huge XML wob that is flashtimeline, and copy it into a text editor. You'll have to proceed carefully because of course this is XML you're dealing with and its a bit finicky. 😃

But you essentially need to flip two big blocks of nested <module> tags. Search through the docuemnt and you'll find the following three points of interest.

1) <module name="ButtonSwitcher" layoutPanel="pageControls">

this ButtonSwitcher module controls the three icons and which of the three subbranches is visible. If you notice, the ButtonSwitcher has a bunch of <param> children and then three direct <module> children. And each of those <module> children then have a boatload of other <module> tags inside of them.

2) <module name="ResultsHeader" layoutPanel="resultsHeaderPanel" group="splIcon-events-list" altTitle="Events List">

This is the first of the three children of the ButtonSwitcher, the 'events list' subbranch.

3) about 80 lines further down, you'll see this guy:
<module name="ResultsHeader" layoutPanel="resultsHeaderPanel" group="splIcon-events-table" altTitle="Events Table">

This is the second of the ButtonSwitcher's three children, the 'events as table'.

All you need to do is carefully cut and paste the second block so that it becomes the first block.

The best way to understand <module> tags, and what all this indentation means, and what the heck a switcher is, is to download and install the "UI Examples for 4.1" app from splunkbase (you can go to Launcher, and then browse other apps and install it right from your browser). Then carefully read through it's section on 'Advanced XML'. Everyone who I tell/force to do this tells me later that it was indeed time well spent.

hth

jrodman
Splunk Employee
Splunk Employee

This will almost certain require view modification. It might be more convenient to duplicate the flashtimeline view to another name and change the xml in the copy. Some digging will be required.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...