Security

Max Lines Value Update In Search & Reporting App

anandhalagaras1
Contributor

Hi Team,

Our Splunk Search heads are hosted in Cloud and managed by Support and currently we are running with the latest version (9.1.2308.203). 

This relates to the Max Lines configuration within the Format segment of the Search and Reporting App.

Previously, Splunk defaulted to displaying 20 or more lines in search results within the Search and Reporting App. As an administrator responsible for extracting Splunk logs across various applications over the years, I never found the need to expand concise search results to read all lines. However, in recent weeks, perhaps following an upgrade of the Splunk Search heads, I've noticed that each time I open a new Splunk search window or the existing Splunk tab times out and auto-refreshes, the Format > Max Lines option resets to 5. As a result, I consistently have to adjust it after nearly every search, which has become cumbersome.

Therefore, kindly provide guidance on changing the default value from 5 to 20 in the Search and Reporting App on Adhoc & ES Search heads. This adjustment would ease the inconvenience experienced by numerous customers and end-users who currently find it troublesome to customize it for each search.

 

The file is ui-prefs.conf, so I've filed a case with support to address this issue. Unfortunately, support wasn't able to make the necessary changes at the backend and suggested that I create a custom app and deploy it in the app upload section. Consequently, I created a custom app, deployed it, and it successfully passed the vetting process. Afterward, I restarted the Search head, but the changes didn't take effect.

Upon reaching out to support again, they were unable to provide a solution for the issue. Therefore, I require assistance in resolving this matter.

So refer the screenshot of the app which I have deployed for reference.

Created a app as below:

MaxLines_Values folder. Inside MaxLines_Value folder there would be default and metadata folder as mentioned in screenshot.

So kindly help on the same.

Max Lines Value.pngDefault and MetaData Folder.pngMaxLines_Values Folder.pngui prefs config.png

 

Labels (1)
0 Karma
1 Solution

deepakc
Builder

Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings

| rest splunk_server=local services/configs/conf-ui-prefs
| rename eai:appName AS app
| table app, disabled, display.events.maxLines, eai:acl.owner, eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing

 

As these settings is in the search app

MaxLines_Values (YOUR_APP)

(This file needs to be ui-prefs.conf needs to be in the default folder in your app MaxLines_Values, it will then auto place it into local in cloud, make sure you update the version number so Splunk takes the new version as you already have it in there.

/default/ui-prefs.conf

[search]
display.events.maxLines = 20

 

Your meta data needs permissions

metatdata/default.meta

[]
access = read : [ * ], write : [ admin, sc_admin]
export = system

 

I can’t test this as I don't have cloud, but worth a go, if that fails worth installing https://splunkbase.splunk.com/app/6368

As this can show app precedence order

| btool ui-prefs list --local

 

View solution in original post

deepakc
Builder

Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings

| rest splunk_server=local services/configs/conf-ui-prefs
| rename eai:appName AS app
| table app, disabled, display.events.maxLines, eai:acl.owner, eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing

 

As these settings is in the search app

MaxLines_Values (YOUR_APP)

(This file needs to be ui-prefs.conf needs to be in the default folder in your app MaxLines_Values, it will then auto place it into local in cloud, make sure you update the version number so Splunk takes the new version as you already have it in there.

/default/ui-prefs.conf

[search]
display.events.maxLines = 20

 

Your meta data needs permissions

metatdata/default.meta

[]
access = read : [ * ], write : [ admin, sc_admin]
export = system

 

I can’t test this as I don't have cloud, but worth a go, if that fails worth installing https://splunkbase.splunk.com/app/6368

As this can show app precedence order

| btool ui-prefs list --local

 

anandhalagaras1
Contributor

@deepakc ,

Thank you. It worked like a charm.

0 Karma

deepakc
Builder

@anandhalagaras1 
Glad it worked mate, and your welcome  

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...