Dashboards & Visualizations

how can i know modules hierarchy?

hjwang
Contributor

hi~there, i wanna try to develop the advanced view in splunk, i know there are modules explaination in http://localhost:8000/en-US/modules, but i don't know the modules hierarchy, in other words, one modules can have what kind of child modules to use, in splunk web documentation, it does not explain must about it. where can i get such information?Thanks and best regards,

Tags (2)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

Definitely get the "UI Examples for 4.1" app from Splunkbase. It contains a ton of example views with their own embedded documentation. In particular under it's "advanced XML" section, you'll want to read the 3 introductory pages where it talks about the modules and the hierarchy and what it means.

And the main intro page to the advanced XML is here. It is worth a read but if you're actually setting out to understand the view XML and what the modules are doing, the UI examples app will get you there quicker.

http://www.splunk.com/base/Documentation/latest/Developer/AdvancedIntro

As far as what modules can go inside what other modules -- there are not many hard rules, but as you gain an understanding of what each of the important modules do, you'll realize what configurations will work and what will not.

You can divide the modules broadly into two categories: 1) Some modules output things for it's "children" downstream in the hierarchy, like the TimeRangePicker makes the selected TimeRange available for all the modules below (inside) it. 2) some other modules just render search results once the arguments have all been put together and turned into a running search.

It's more about making sure that the arguments your modules are sending down are getting used. The module framework doesnt assume it understands what you're trying to do; it doesnt try and shoehorn you into some smaller-but-known space of "legal" configurations.

For example you'll get warned if you create a Paginator module with no children, because the only thing a Paginator does is tell it's children what page to go to, and this never makes any sense. With no children it becomes meaningless. On the other extreme if you put a Paginator just upstream from a SimpleResultsTable or an EventsViewer module, this is a common configuration, it's quite sensible and it will work great. In the middle between the two extremes you wont get any warnings - eg if you put a Paginator above a FlashChart you wont get warned although you might realize when nothing happens that FlashCharts do not listen to the Paginator...

Again, pulling down UI Examples and reading it's explanation of all this is the way to go.

You might also consider installing Sideview Utils from Splunkbase, because that app brings its own custom modules into the picture and those moldules give you improved functionality as well as slightly simpler and more consistent XML. Most strikingly it doesn't use 'intentions' at all so you dont have to deal with any of that any more.

View solution in original post

hjwang
Contributor

Thanks for all of your replies

0 Karma

sideview
SplunkTrust
SplunkTrust

Definitely get the "UI Examples for 4.1" app from Splunkbase. It contains a ton of example views with their own embedded documentation. In particular under it's "advanced XML" section, you'll want to read the 3 introductory pages where it talks about the modules and the hierarchy and what it means.

And the main intro page to the advanced XML is here. It is worth a read but if you're actually setting out to understand the view XML and what the modules are doing, the UI examples app will get you there quicker.

http://www.splunk.com/base/Documentation/latest/Developer/AdvancedIntro

As far as what modules can go inside what other modules -- there are not many hard rules, but as you gain an understanding of what each of the important modules do, you'll realize what configurations will work and what will not.

You can divide the modules broadly into two categories: 1) Some modules output things for it's "children" downstream in the hierarchy, like the TimeRangePicker makes the selected TimeRange available for all the modules below (inside) it. 2) some other modules just render search results once the arguments have all been put together and turned into a running search.

It's more about making sure that the arguments your modules are sending down are getting used. The module framework doesnt assume it understands what you're trying to do; it doesnt try and shoehorn you into some smaller-but-known space of "legal" configurations.

For example you'll get warned if you create a Paginator module with no children, because the only thing a Paginator does is tell it's children what page to go to, and this never makes any sense. With no children it becomes meaningless. On the other extreme if you put a Paginator just upstream from a SimpleResultsTable or an EventsViewer module, this is a common configuration, it's quite sensible and it will work great. In the middle between the two extremes you wont get any warnings - eg if you put a Paginator above a FlashChart you wont get warned although you might realize when nothing happens that FlashCharts do not listen to the Paginator...

Again, pulling down UI Examples and reading it's explanation of all this is the way to go.

You might also consider installing Sideview Utils from Splunkbase, because that app brings its own custom modules into the picture and those moldules give you improved functionality as well as slightly simpler and more consistent XML. Most strikingly it doesn't use 'intentions' at all so you dont have to deal with any of that any more.

Ant1D
Motivator

From my knowledge, there is not a clear-cut explanation of this and knowing comes best from experience.

This reference guide helps to an extent:
http://www.splunk.com/base/Documentation/4.2.1/Developer/ModuleReference

Also, if you take one of your simple XML views and add the following at the end of the URL while using Splunk web (?showsource=1😞
E.g. http://localhost:8000/en-GB/app/your_app/your_dashboard?showsource=1

This will show you how your simple XML code for your_dashboard.xml looks in Advanced XML format so you can get a feel for how the modules work.

The following links may also be helpful:
http://www.splunk.com/base/Documentation/4.2.1/Developer/AdvancedDashboard
http://www.splunk.com/base/Documentation/latest/Developer/AdvancedFormSearch

I hope that this helps.

David
Splunk Employee
Splunk Employee

I'd also add that the ui_examples app, downloadable off SplunkBase, can be invaluable here.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...