Dashboards & Visualizations

In 6.4.x, why is Splunk not displaying all my saved searches in my drop-downs?

zindain24
Path Finder

Hello,

I've used the view.py hack in a previous version of Splunk to populate my drop-downs with more than 500 results. This appears to no longer work in version 6.4+. Anyone else experience this? Any suggestions?

Ref:
https://answers.splunk.com/answers/349973/splunk-not-displaying-all-my-saved-searches-in-the.html

0 Karma
1 Solution

arobbins_splunk
Splunk Employee
Splunk Employee

The PM wlll be able to give you more definitive help, but in the meantime, try experimenting with changing the similar limit in the _getSearches() function in mrsparkle/lib/appnav.py

View solution in original post

arobbins_splunk
Splunk Employee
Splunk Employee

The PM wlll be able to give you more definitive help, but in the meantime, try experimenting with changing the similar limit in the _getSearches() function in mrsparkle/lib/appnav.py

zindain24
Path Finder

Success! Changes to the function in .../mrsparkle/lib/appnav.py worked. I'm now able to increase the limit. Thanks for your help

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

great. as you're probably aware, changes like this are likely to break during upgrades. Hopefully the PM can find a way to expose a configuration for you and customers in a similar position.

Have fun with 6.4.x! There's some great stuff in it.

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

Which drop-downs are you referring to?

0 Karma

zindain24
Path Finder

Any drop downs created in the search app. For example, I remade the "Searches & Reports" dropdown because my customers are used to the existing navigation menu structure.

User interface » Navigation menus » default

For example:

<collection label="Security Services">
<collection label="CMS AU2 Desktop">
   <saved source="unclassified" match="CMS_AU2" />
   <saved source="unclassified" match="AU2_Win" />
</collection>
    <collection label="Active Directory">
       <saved source="unclassified" match="HMK_AD" />
    </collection>
    <collection label="Zixmail Reports">
       <saved source="unclassified" match="Zixmail" />
    </collection>
    <collection label="McAfee Reports">
       <saved source="unclassified" match="McAfee" />
    </collection>
    <collection label="Network Security Reports">
       <saved source="unclassified" match="HM_ACS" />
       <saved source="unclassified" match="Firewall_Config" />
    </collection>
<divider />

  <saved source="unclassified" match="SOC" />
</collection>
<collection label="Threat">
  <saved source="unclassified" match="Threat" />
</collection>
0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

I will relay this to the PM responsible for the navigation bar. I believe the current limit there is 500 searches.

0 Karma

zindain24
Path Finder

Thanks arobbins, this is the only item holding me back from upgrading to 6.4.1.

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

what version were you on previously? and did you see the limit then?

0 Karma

zindain24
Path Finder

6.2.1 is the version I am upgrading from and the 500 search limit in 6.2.1 is still configurable by editing ($SPLUNKHOME/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/view.py)

searches = en.getEntities('saved/searches', namespace=app, search='is_visible=1 AND disabled=0', count=500, _with_new='1')

I upgraded clones of my search heads in a sandbox environment to test the upgrade before moving to production and noticed the "500" limit is no longer increasing when I modify the view.py setting.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...