Dashboards & Visualizations

In 6.4.x, why is Splunk not displaying all my saved searches in my drop-downs?

zindain24
Path Finder

Hello,

I've used the view.py hack in a previous version of Splunk to populate my drop-downs with more than 500 results. This appears to no longer work in version 6.4+. Anyone else experience this? Any suggestions?

Ref:
https://answers.splunk.com/answers/349973/splunk-not-displaying-all-my-saved-searches-in-the.html

0 Karma
1 Solution

arobbins_splunk
Splunk Employee
Splunk Employee

The PM wlll be able to give you more definitive help, but in the meantime, try experimenting with changing the similar limit in the _getSearches() function in mrsparkle/lib/appnav.py

View solution in original post

arobbins_splunk
Splunk Employee
Splunk Employee

The PM wlll be able to give you more definitive help, but in the meantime, try experimenting with changing the similar limit in the _getSearches() function in mrsparkle/lib/appnav.py

zindain24
Path Finder

Success! Changes to the function in .../mrsparkle/lib/appnav.py worked. I'm now able to increase the limit. Thanks for your help

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

great. as you're probably aware, changes like this are likely to break during upgrades. Hopefully the PM can find a way to expose a configuration for you and customers in a similar position.

Have fun with 6.4.x! There's some great stuff in it.

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

Which drop-downs are you referring to?

0 Karma

zindain24
Path Finder

Any drop downs created in the search app. For example, I remade the "Searches & Reports" dropdown because my customers are used to the existing navigation menu structure.

User interface » Navigation menus » default

For example:

<collection label="Security Services">
<collection label="CMS AU2 Desktop">
   <saved source="unclassified" match="CMS_AU2" />
   <saved source="unclassified" match="AU2_Win" />
</collection>
    <collection label="Active Directory">
       <saved source="unclassified" match="HMK_AD" />
    </collection>
    <collection label="Zixmail Reports">
       <saved source="unclassified" match="Zixmail" />
    </collection>
    <collection label="McAfee Reports">
       <saved source="unclassified" match="McAfee" />
    </collection>
    <collection label="Network Security Reports">
       <saved source="unclassified" match="HM_ACS" />
       <saved source="unclassified" match="Firewall_Config" />
    </collection>
<divider />

  <saved source="unclassified" match="SOC" />
</collection>
<collection label="Threat">
  <saved source="unclassified" match="Threat" />
</collection>
0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

I will relay this to the PM responsible for the navigation bar. I believe the current limit there is 500 searches.

0 Karma

zindain24
Path Finder

Thanks arobbins, this is the only item holding me back from upgrading to 6.4.1.

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

what version were you on previously? and did you see the limit then?

0 Karma

zindain24
Path Finder

6.2.1 is the version I am upgrading from and the 500 search limit in 6.2.1 is still configurable by editing ($SPLUNKHOME/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/view.py)

searches = en.getEntities('saved/searches', namespace=app, search='is_visible=1 AND disabled=0', count=500, _with_new='1')

I upgraded clones of my search heads in a sandbox environment to test the upgrade before moving to production and noticed the "500" limit is no longer increasing when I modify the view.py setting.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...