Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display multi-column list of saved searches on dashboard

lindsley
Engager
‎07-01-2010 07:42 PM

Like others, want to display a list of saved searches (like splunk 3.x did) on my dashboard. I have added the following xml snippet to my dashboard to attempt to do this:

` This lists all of the saved searches you have access to 

    <!-- Saved Searches -->
        <module name="EntityLinkLister" layoutPanel="panel_row1_col1">
      <param name="entityPath">saved/searches</param>
      <param name="settingToCreate">savedSearchz</param>

      <param name="entityFieldsToDisplay">
        <list>
          <param name="label">name</param>
          <param name="value">name</param>
        </list>
      </param>

  <module name="HiddenSearch" >
    <param name="search">| savedsearch "$savedSearch$"</param>
      <module name="ConvertToIntention">
        <param name="intention">
          <param name="name">stringreplace</param>
            <param name="arg">
              <param name="savedSearch">
                <param name="fillOnEmpty">True</param>
                <param name="value">$savedSearchz$</param>
              </param>
            </param>
          </param>
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
        </module>
      </module>
</module>

`

This displays one column with 30 of my saved searches. How do i increase the number per column and add more columns to the list?

Tags (2)
Reply

Jason
Motivator
‎07-27-2010 05:33 PM

[promoted my reply to its own question since it asked additional questions]

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-07-2010 12:14 AM

1) running the search string itself instead of | savedsearch $searchName$

I think that if you have the 'search' field as the value instead of the name, 

    <list>
      <param name="label">name</param>
      <param name="value">search</param>
    </list>

then you'll be able to avoid using the savedsearch command like so: 

<module name="HiddenSearch" >
    <param name="search">$savedSearch$</param>

2) changing the number of saved searches displayed:

I think the EntityLinkLister just takes a count param, which should work. But maybe you've tried that already.

3) Making more than just one column.

This is a lot harder, in that the automatic behaviour that 3.X had is no longer there and I think that's what you're asking about.

First, I assume you want it to look like the 'summary' view, in that you want three lists of blue links, but you want the second list to pick up right where the first one left off, and the third to continue from the second.

Frankly it's probably easier to just put a Paginator module above the EntityLinkLister (see how this is done in the search app's summary view), and have only a single column at a time.

However you can do it manually in the advanced XML using three nearly identical blocks of config. Assuming you want 30 rows in each of the 3 SearchLinkListers:

You can render the first into layoutPanel="panel_row1_col1_grp1", and give its search this on the end: 

... | head 30

Then layoutPanel="panel_row1_col1_grp2" and the second one has this on the end: 

... | head 60 | tail 30 | reverse

And then layoutPanel="panel_row1_col1_grp3", etc.. 

... | head 90 | tail 30 | reverse

( the reverse is needed because the tail comment reverses the order which we dont want here.)

Then you'll probably want a little 2-module combination of HiddenSearch and ViewRedirectorLink to give the user a 'see all' link below the three lists.

But again if it's acceptable to just throw a Paginator module in there and stick to a single column, that would take a lot less effort.

Reply

sideview
SplunkTrust
SplunkTrust
‎07-27-2010 06:12 PM

Gotcha. I guess that makes sense. You can use this instead:

"head 60 | tail 30 | reverse". I'll update my answer to not use the "where _serial<60" trick.

0 Karma
Reply

Jason
Motivator
‎07-27-2010 05:20 PM

It seems like using the _serial method brings the searches back in random order, not ordered by name.

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-02-2010 03:24 PM

Ive been experimenting with the savedsearch modules like so...
...


My Saved Searches


...
I do get a list of savedsearches to appear but havent tried place in columns to a list.

0 Karma
Reply

nclarkau
Path Finder
‎07-02-2010 03:55 AM

I haven't tried the entityLinkLister method you have here as it was not working when we needed it. We found a way to get all the searches in a list (ala 3.0) using a custom command (http://answers.splunk.com/questions/388). Obviously a lot more work than the entityLinkLister method but the target search is the actual search and not the savedsearch command which is quite helpful.

However it does not allow the result list to flow across multiple columns something we would really really like to see too!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...