hi~there, i wanna try to develop the advanced view in splunk, i know there are modules explaination in http://localhost:8000/en-US/modules, but i don't know the modules hierarchy, in other words, one modules can have what kind of child modules to use, in splunk web documentation, it does not explain must about it. where can i get such information?Thanks and best regards,
From my knowledge, there is not a clear-cut explanation of this and knowing comes best from experience.
This reference guide helps to an extent:
Also, if you take one of your simple XML views and add the following at the end of the URL while using Splunk web (
This will show you how your simple XML code for your_dashboard.xml looks in Advanced XML format so you can get a feel for how the modules work.
The following links may also be helpful:
I hope that this helps.
Definitely get the "UI Examples for 4.1" app from Splunkbase. It contains a ton of example views with their own embedded documentation. In particular under it's "advanced XML" section, you'll want to read the 3 introductory pages where it talks about the modules and the hierarchy and what it means.
And the main intro page to the advanced XML is here. It is worth a read but if you're actually setting out to understand the view XML and what the modules are doing, the UI examples app will get you there quicker.
As far as what modules can go inside what other modules -- there are not many hard rules, but as you gain an understanding of what each of the important modules do, you'll realize what configurations will work and what will not.
You can divide the modules broadly into two categories: 1) Some modules output things for it's "children" downstream in the hierarchy, like the TimeRangePicker makes the selected TimeRange available for all the modules below (inside) it. 2) some other modules just render search results once the arguments have all been put together and turned into a running search.
It's more about making sure that the arguments your modules are sending down are getting used. The module framework doesnt assume it understands what you're trying to do; it doesnt try and shoehorn you into some smaller-but-known space of "legal" configurations.
For example you'll get warned if you create a Paginator module with no children, because the only thing a Paginator does is tell it's children what page to go to, and this never makes any sense. With no children it becomes meaningless. On the other extreme if you put a Paginator just upstream from a SimpleResultsTable or an EventsViewer module, this is a common configuration, it's quite sensible and it will work great. In the middle between the two extremes you wont get any warnings - eg if you put a Paginator above a FlashChart you wont get warned although you might realize when nothing happens that FlashCharts do not listen to the Paginator...
Again, pulling down UI Examples and reading it's explanation of all this is the way to go.
You might also consider installing Sideview Utils from Splunkbase, because that app brings its own custom modules into the picture and those moldules give you improved functionality as well as slightly simpler and more consistent XML. Most strikingly it doesn't use 'intentions' at all so you dont have to deal with any of that any more.