Solved: Re: In 6.4.x, why is Splunk not displaying all my ...

zindain24 · ‎06-07-2016

Hello,

I've used the view.py hack in a previous version of Splunk to populate my drop-downs with more than 500 results. This appears to no longer work in version 6.4+. Anyone else experience this? Any suggestions?

Ref:
https://answers.splunk.com/answers/349973/splunk-not-displaying-all-my-saved-searches-in-the.html

arobbins_splunk · ‎06-14-2016

The PM wlll be able to give you more definitive help, but in the meantime, try experimenting with changing the similar limit in the _getSearches() function in mrsparkle/lib/appnav.py

View solution in original post

arobbins_splunk · ‎06-14-2016

The PM wlll be able to give you more definitive help, but in the meantime, try experimenting with changing the similar limit in the _getSearches() function in mrsparkle/lib/appnav.py

zindain24 · ‎06-14-2016

Success! Changes to the function in .../mrsparkle/lib/appnav.py worked. I'm now able to increase the limit. Thanks for your help

arobbins_splunk · ‎06-14-2016

great. as you're probably aware, changes like this are likely to break during upgrades. Hopefully the PM can find a way to expose a configuration for you and customers in a similar position.

Have fun with 6.4.x! There's some great stuff in it.

arobbins_splunk · ‎06-07-2016

Which drop-downs are you referring to?

zindain24 · ‎06-14-2016

Any drop downs created in the search app. For example, I remade the "Searches & Reports" dropdown because my customers are used to the existing navigation menu structure.

User interface » Navigation menus » default

For example:

<collection label="Security Services">
<collection label="CMS AU2 Desktop">
   <saved source="unclassified" match="CMS_AU2" />
   <saved source="unclassified" match="AU2_Win" />
</collection>
    <collection label="Active Directory">
       <saved source="unclassified" match="HMK_AD" />
    </collection>
    <collection label="Zixmail Reports">
       <saved source="unclassified" match="Zixmail" />
    </collection>
    <collection label="McAfee Reports">
       <saved source="unclassified" match="McAfee" />
    </collection>
    <collection label="Network Security Reports">
       <saved source="unclassified" match="HM_ACS" />
       <saved source="unclassified" match="Firewall_Config" />
    </collection>
<divider />

  <saved source="unclassified" match="SOC" />
</collection>
<collection label="Threat">
  <saved source="unclassified" match="Threat" />
</collection>

arobbins_splunk · ‎06-14-2016

I will relay this to the PM responsible for the navigation bar. I believe the current limit there is 500 searches.

zindain24 · ‎06-14-2016

Thanks arobbins, this is the only item holding me back from upgrading to 6.4.1.

arobbins_splunk · ‎06-14-2016

what version were you on previously? and did you see the limit then?

zindain24 · ‎06-14-2016

6.2.1 is the version I am upgrading from and the 500 search limit in 6.2.1 is still configurable by editing ($SPLUNKHOME/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/view.py)

searches = en.getEntities('saved/searches', namespace=app, search='is_visible=1 AND disabled=0', count=500, _with_new='1')

I upgraded clones of my search heads in a sandbox environment to test the upgrade before moving to production and noticed the "500" limit is no longer increasing when I modify the view.py setting.

In 6.4.x, why is Splunk not displaying all my saved searches in my drop-downs?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?