Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

custom help screen

klee310
Communicator
‎05-05-2011 10:41 PM

hi,

I'm trying to setup a custom help screen (via advanceXML) which lists all Tags, Eventtypes, SavedSearches, and Fields extracted for my app.

For Tags, I want the panel to look similar to that of admin_ntags.xml

For Eventtypes, I want the panel to look similar to that of Splunk>Manager>eventtypes

For SavedSearches, I want the panel to look similar to that of Manager>Searches and Reports

...

For all listings in each panel, I would obviously remove the App column because I only want to show the Tags/Eventtypes/Saved/Fields associated with this app; as well as removing some non-essential columns such as owner, alert, status, sharing, and action, etc..

I have tried using metadata cmd to find the event(listing), so maybe this can be a search string - but no luck.

I have tried using ServerSideInclude, and include the admin_ntags.xml... but haven't got very far with that.

Any help is greatly appreciated.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎05-07-2011 06:39 PM

There's nothing very easy unfortunately.

1) You might want to download the Splunk Discover app from splunkbase. that app packages its own little search command called "entity". Since it's a custom search command it is written in python so you can read the source and see how it does what it does. And depending on the license the Discover app has you can use the same command in your own app. It can get entities like saved searches and eventtypes, and since it's a search command this means the entities become search result rows and the keys of the entities become fields on the rows. Mileage may vary but if you have a decent grasp of the advanced XML, and you're armed with that command or something similar, you should be able to get there.

2) The EntitySelectLister module is basically a pulldown that can pull it's option elements from entities like saved searches and eventtypes. It's pretty tricky to use and since it doesnt help you render anything about those entities into tables or charts, hardly anybody ever uses it. Worth a mention though cause it's sort of in the same area.

3) You also might look at the manager XML files. All list and edit views in manager are actually controlled by xml files that live in $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/

Although there is really no documentation for that system at all, some people have succeeded in reverse engineering that system to add or modify pages in Manager. Depending on what custom functionality you're trying to achieve, this could be the way to go.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎05-07-2011 06:39 PM

There's nothing very easy unfortunately.

1) You might want to download the Splunk Discover app from splunkbase. that app packages its own little search command called "entity". Since it's a custom search command it is written in python so you can read the source and see how it does what it does. And depending on the license the Discover app has you can use the same command in your own app. It can get entities like saved searches and eventtypes, and since it's a search command this means the entities become search result rows and the keys of the entities become fields on the rows. Mileage may vary but if you have a decent grasp of the advanced XML, and you're armed with that command or something similar, you should be able to get there.

2) The EntitySelectLister module is basically a pulldown that can pull it's option elements from entities like saved searches and eventtypes. It's pretty tricky to use and since it doesnt help you render anything about those entities into tables or charts, hardly anybody ever uses it. Worth a mention though cause it's sort of in the same area.

3) You also might look at the manager XML files. All list and edit views in manager are actually controlled by xml files that live in $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/

Although there is really no documentation for that system at all, some people have succeeded in reverse engineering that system to add or modify pages in Manager. Depending on what custom functionality you're trying to achieve, this could be the way to go.

Reply
Solved! Jump to solution

klee310
Communicator
‎05-07-2011 07:28 PM

3 - actually, my original thought was to try and add the XML from the manager path to my view with the ServerSideInclude module. Apparently, that doesn't work.

I will give the entity module a whirl.

much appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...