Security

How to expand "Results per Page" dropdown? WITH ANSWER!

dpaper
Explorer

This is both a question AND an answer.

I want to see more than 50 lines of output on a results page? How do I do that?

Being restricted to 10, 20 or 50 events worth of output stinks. Badly. Splunk doesn't provide a mechanism to do this, but it is changeable if you are adventurous.

In $SPLUNK/share/splunk/search_mrsparkle/modules/results/page_controls/Count.html (back this file up first), add the following for 100 events under the "% endfor" at or near line 42:

    <option value="100">100</option>

This will leave the 10, 20, and 50 with 50 being the default, but give you the option of 100. Reloading the search app will pick up the change, no need to restart Splunkweb.

Enjoy.

1 Solution

dpaper
Explorer

In $SPLUNK/share/splunk/search_mrsparkle/modules/results/page_controls/Count.html (back this file up first), add the following for 100 events under the "% endfor" at or near line 42:

<option value="100">100</option>

This will leave the 10, 20, and 50 with 50 being the default, but give you the option of 100. Reloading the search app will pick up the change, no need to restart Splunkweb.

Enjoy.

EDIT
Drat.

So it turns out this only works on 4.1.x. When I upgrades to 4.2.[34], this hack breaks. TOTAL SUCK! Will re-post as soon as I figure out how to get this trick to work in 4.2.x.

View solution in original post

myudkowsky
Communicator

In Splunk 6.x, XML no longer works; instead, you must modify the JS.

I modified the JS in the following file:

share/splunk/search_mrsparkle/exposed/js/build/searchpage.js

First I de-minified the JS. Searching the file, I find:

this.children.count = new s({
                    modelAttribute: "display.prefs.events.count",
                    model: this.model.content,
                    items: [{
                        value: "10",
                        label: _("10 Per Page").t()
                    }, {
                        value: "20",
                        label: _("20 Per Page").t()
                    }, {
                        value: "50",
                        label: _("50 Per Page").t()
                    }],
                    save: !2,
                    elastic: !0,
                    menuWidth: "narrow",
                    toggleClassName: "btn-pill",
                    popdownOptions: {
                        attachDialogTo: "body"
                    }

I modify this to read:

this.children.count = new s({
                    modelAttribute: "display.prefs.events.count",
                    model: this.model.content,
                    items: [{
                        value: "10",
                        label: _("10 Per Page").t()
                    }, {
                        value: "20",
                        label: _("20 Per Page").t()
                    }, {
                        value: "50",
                        label: _("50 Per Page").t()
                    }, {
                        value: "100",
                        label: _("100 Per Page").t()
                    }, {
                        value: "250",
                        label: _("250 Per Page").t()
                    }],
                    save: !4,
                    elastic: !0,
                    menuWidth: "narrow",
                    toggleClassName: "btn-pill",
                    popdownOptions: {
                        attachDialogTo: "body"
                    }

In other words, I add 100 and 250 as options, and I make 250 the standard option. I then minify the JS file. (I realize it may be possible to modify files in the views directory, e.g., share/splunk/search_mrsparkle/exposed/js/views/search/results/eventspane/controls/Master.js, in order to add the improved selections, but I have not tested it.)

Once I restart splunkd and splunkweb, and of course make certain to flush the cache on the browser, the 250 options appears.

I modified my $SPLUNK_HOME/etc/apps/*/local/savesearches.conf as well as the one in $SPLUNK_HOME/etc/system/local to include, at the top,

[default]
display.prefs.events.count = 250

which seems to have reset searches to use 250 as the default display. I modified individual saved searches as needed, and I have also gone through viewstates.conf and modified the mysterious, apparently-undocumented Count* lines to 250 instead of their default 50.

However, to date, I have not been able to get my standard search page to pre-select 250 as the default; it always comes up as the standard 50 per page. At the moment, I use "?display.prefs.events.count=250" appended to the URL of the bookmarked search page to force the page into default display of 250 results per page, and wouldn't mind hearing if someone has managed to get the default search page to work without this workaround.

0 Karma

myudkowsky
Communicator

My current installation, as of the date of this post, is running Splunk version 7.3.1. In this version, the file to modify is

splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/common.js

The code to modify with extra page lengths is where we see:

splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/common.js

and then as previously noted.

I was able to increase pages on the statistics output by modifying

splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/search.js

to read

                    Base.prototype.initialize.apply(this, arguments), this.children.count = new SyntheticSelectControl({
                        menuWidth: "narrow",
                        className: "btn-group pull-left",
                        items: [ {
                            value: "10",
                            label: _("10 Per Page").t()
                        }, {
                            value: "20",
                            label: _("20 Per Page").t()
                        }, {
                            value: "50",
                            label: _("50 Per Page").t()
                        }, {
                            value: "100",
                            label: _("100 Per Page").t()
                        }, {
                            value: "200",
                            label: _("200 Per Page").t()
                        }, {
                            value: "500",
                            label: _("500 Per Page").t()
                        } ],
                        model: this.model.report.entry.content,
                        modelAttribute: "display.prefs.statistics.count",

but my other attempts failed.

 

The main difference is that display.prefs.statistics.count. It has to be adjacent to the declaration of the number of rows.

0 Karma

sideview
SplunkTrust
SplunkTrust

You want to edit the XML to accomplish this. Dont go editing the module source code as dpaper suggested, because for one thing such changes are guaranteed to break on upgrades.

So if you want to alter the default 'flashtimeline' view, you would log in as admin, go to Manager, User Interface, Views, Then find 'flashtimeline' and click it to edit.
In the massive block of XML (you may want to temporarily paste it out into a text editor), find the block that looks like this

<module name="Count" layoutPanel="pageControls">
  <param name="options">
    <list>
      <param name="text">10</param>
      <param name="value">10</param>
    </list>
    <list>
      <param name="text">20</param>
      <param name="value">20</param>
    </list>
    <list>
      <param name="text">50</param>
      <param name="selected">True</param>
      <param name="value">50</param>
    </list>
  </param>

As you can see the options that are presented by the Count module are actually configured explicitly in the view. Apps often stick with these same options = 10,20,50. But nothing prevents you from pasting in another <list> block with appropriate <param> tags and you can get 100,200,500 etc...

Note: If you're the really adventurous sort, Sideview Utils now includes an "Events" module that is similar to EventsViewer except that it implements an endless scrolling system. When the user scrolls down or up, it will fetch more events as necessary. As such you can dispense with both the Pager module (or Paginator if you still use Paginator) and the Count module. Sideview Utils contains an implemented example of the flashtimeline view with this functionality already in there. Check it out. Also it's quite new so let me know if you have any problems or feedback.

sideview
SplunkTrust
SplunkTrust

In 6.0 the "search" page is actually no longer the flashtimeline view. So edits to flashtimeline.xml have no effect on it. Also the implementation of the search page isn't in the search app anymore, so you can't override it by copying the core implementation and tweaking it. There is a search.xml but it just redirects down the rabbithole to a massive ball of code down in $SPLUNK_HOME/share/. So somewhat surprisingly even after looking at this for a while, I have no idea except that it looks extremely difficult.

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma

mmelchers
Engager

Does anybody know how to fix this in version 6? It stopped working after we upgraded

myudkowsky
Communicator

See my comments in other places in this discussion, which I've tested up to version 7.3.1.

0 Karma

jaxjohnny
Path Finder

This works in version 5.x also.

0 Karma

dpaper
Explorer

This is indeed a way better way to do this. I've been trying to figure this out forever, and couldn't find any docs on it.

Thanks!

dpaper
Explorer

In $SPLUNK/share/splunk/search_mrsparkle/modules/results/page_controls/Count.html (back this file up first), add the following for 100 events under the "% endfor" at or near line 42:

<option value="100">100</option>

This will leave the 10, 20, and 50 with 50 being the default, but give you the option of 100. Reloading the search app will pick up the change, no need to restart Splunkweb.

Enjoy.

EDIT
Drat.

So it turns out this only works on 4.1.x. When I upgrades to 4.2.[34], this hack breaks. TOTAL SUCK! Will re-post as soon as I figure out how to get this trick to work in 4.2.x.

smithpj
Explorer

I downvoted this post because not a perm. fix, just temp.

0 Karma

MBerikcurtis
Path Finder

this should be the default. Adding 100,200 and 500

0 Karma

jaxjohnny
Path Finder

Absolutely awesome!! Tremendous!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...