hi,
I'm trying to setup a custom help screen (via advanceXML) which lists all Tags, Eventtypes, SavedSearches, and Fields extracted for my app.
For Tags, I want the panel to look similar to that of admin_ntags.xml
For Eventtypes, I want the panel to look similar to that of Splunk>Manager>eventtypes
For SavedSearches, I want the panel to look similar to that of Manager>Searches and Reports
...
For all listings in each panel, I would obviously remove the App column because I only want to show the Tags/Eventtypes/Saved/Fields associated with this app; as well as removing some non-essential columns such as owner, alert, status, sharing, and action, etc..
I have tried using metadata cmd to find the event(listing), so maybe this can be a search string - but no luck.
I have tried using ServerSideInclude, and include the admin_ntags.xml... but haven't got very far with that.
Any help is greatly appreciated.
There's nothing very easy unfortunately.
1) You might want to download the Splunk Discover app from splunkbase. that app packages its own little search command called "entity
". Since it's a custom search command it is written in python so you can read the source and see how it does what it does. And depending on the license the Discover app has you can use the same command in your own app. It can get entities like saved searches and eventtypes, and since it's a search command this means the entities become search result rows and the keys of the entities become fields on the rows. Mileage may vary but if you have a decent grasp of the advanced XML, and you're armed with that command or something similar, you should be able to get there.
2) The EntitySelectLister module is basically a pulldown that can pull it's option elements from entities like saved searches and eventtypes. It's pretty tricky to use and since it doesnt help you render anything about those entities into tables or charts, hardly anybody ever uses it. Worth a mention though cause it's sort of in the same area.
3) You also might look at the manager XML files. All list and edit views in manager are actually controlled by xml files that live in $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/
Although there is really no documentation for that system at all, some people have succeeded in reverse engineering that system to add or modify pages in Manager. Depending on what custom functionality you're trying to achieve, this could be the way to go.
There's nothing very easy unfortunately.
1) You might want to download the Splunk Discover app from splunkbase. that app packages its own little search command called "entity
". Since it's a custom search command it is written in python so you can read the source and see how it does what it does. And depending on the license the Discover app has you can use the same command in your own app. It can get entities like saved searches and eventtypes, and since it's a search command this means the entities become search result rows and the keys of the entities become fields on the rows. Mileage may vary but if you have a decent grasp of the advanced XML, and you're armed with that command or something similar, you should be able to get there.
2) The EntitySelectLister module is basically a pulldown that can pull it's option elements from entities like saved searches and eventtypes. It's pretty tricky to use and since it doesnt help you render anything about those entities into tables or charts, hardly anybody ever uses it. Worth a mention though cause it's sort of in the same area.
3) You also might look at the manager XML files. All list and edit views in manager are actually controlled by xml files that live in $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/
Although there is really no documentation for that system at all, some people have succeeded in reverse engineering that system to add or modify pages in Manager. Depending on what custom functionality you're trying to achieve, this could be the way to go.
3 - actually, my original thought was to try and add the XML from the manager path to my view with the ServerSideInclude module. Apparently, that doesn't work.
I will give the entity module a whirl.
much appreciated.