Reporting

Splunk 6 - saved searches... now reports?

nwieseler
Path Finder

Is there a way to enable the search bar within my report so I can make adjustments? Reading the docs I don't understand the best way make changes to a report I opened (what used to be called a saved search)?

Nick

cbehm
Explorer

This is a frustrating and (for our organization) useless change that appears to have no way to change the default behavior. Our users are technical users for whom a saved search should actually be a saved search by default, not a report.

There is a slightly better work-around in that you can bring back the your saved searches as a dropdown by adding the following to the navigation menu UI (from the search app go to Settings -> User interface -> Navigation menu):

<collection label="Searches">

  <saved source="unclassified" />

</collection>

Then the saved searches will be listed in a drop down as they were in Splunk 5 and will also have a magnifying glass that takes you to the search and not the report. Clicking the name still takes you to the report though.

I'll be submitting feedback to Splunk - at the very least allow the default behavior to be specified by user or as part of the saved search itself.

nataliat
Explorer

Thanks! So Useful 🙂

0 Karma

colbymahan
Explorer

Thanks! Just what i needed.

0 Karma

nwieseler
Path Finder

Thanks for the tip. This is continues to be something I wish had not changed in the UI.

Nick

0 Karma

rroberts
Splunk Employee
Splunk Employee

Found this section in the .. http://docs.splunk.com/Documentation/Splunk/6.0/Installation/Aboutupgradingto6.0READTHISFIRST

doc.

"We have changed a number of the Splunk terms that you've come to know"

1.Manager, Splunk's main configuration interface, is now known as Settings.

2.Launcher, the initial menu you see when you run Splunk, is now known as Home.

3.Saved searches are now known as reports.

4.A saved search with an alert is now known as an alert.

5."TSIDX stats" are now known as indexed field statistics.

0 Karma

rroberts
Splunk Employee
Splunk Employee

Ah, gotcha.

0 Karma

nwieseler
Path Finder

Correct - I was more concerned with being able to make changes to a report I had opened. I missed the link in the GUI where it linked to "open in search"

Nick

0 Karma

nwieseler
Path Finder

There is also an option in the report screen to open in search which is handy...

0 Karma

nwieseler
Path Finder

Edit button > Open in Search seems to be the only option I can figure out.

Extra step but I can live with it...

Nick

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...