Security

Max Lines Value Update In Search & Reporting App

anandhalagaras1
Communicator

Hi Team,

Our Splunk Search heads are hosted in Cloud and managed by Support and currently we are running with the latest version (9.1.2308.203). 

This relates to the Max Lines configuration within the Format segment of the Search and Reporting App.

Previously, Splunk defaulted to displaying 20 or more lines in search results within the Search and Reporting App. As an administrator responsible for extracting Splunk logs across various applications over the years, I never found the need to expand concise search results to read all lines. However, in recent weeks, perhaps following an upgrade of the Splunk Search heads, I've noticed that each time I open a new Splunk search window or the existing Splunk tab times out and auto-refreshes, the Format > Max Lines option resets to 5. As a result, I consistently have to adjust it after nearly every search, which has become cumbersome.

Therefore, kindly provide guidance on changing the default value from 5 to 20 in the Search and Reporting App on Adhoc & ES Search heads. This adjustment would ease the inconvenience experienced by numerous customers and end-users who currently find it troublesome to customize it for each search.

 

The file is ui-prefs.conf, so I've filed a case with support to address this issue. Unfortunately, support wasn't able to make the necessary changes at the backend and suggested that I create a custom app and deploy it in the app upload section. Consequently, I created a custom app, deployed it, and it successfully passed the vetting process. Afterward, I restarted the Search head, but the changes didn't take effect.

Upon reaching out to support again, they were unable to provide a solution for the issue. Therefore, I require assistance in resolving this matter.

So refer the screenshot of the app which I have deployed for reference.

Created a app as below:

MaxLines_Values folder. Inside MaxLines_Value folder there would be default and metadata folder as mentioned in screenshot.

So kindly help on the same.

Max Lines Value.pngDefault and MetaData Folder.pngMaxLines_Values Folder.pngui prefs config.png

 

Labels (1)
0 Karma
1 Solution

deepakc
Builder

Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings

| rest splunk_server=local services/configs/conf-ui-prefs
| rename eai:appName AS app
| table app, disabled, display.events.maxLines, eai:acl.owner, eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing

 

As these settings is in the search app

MaxLines_Values (YOUR_APP)

(This file needs to be ui-prefs.conf needs to be in the default folder in your app MaxLines_Values, it will then auto place it into local in cloud, make sure you update the version number so Splunk takes the new version as you already have it in there.

/default/ui-prefs.conf

[search]
display.events.maxLines = 20

 

Your meta data needs permissions

metatdata/default.meta

[]
access = read : [ * ], write : [ admin, sc_admin]
export = system

 

I can’t test this as I don't have cloud, but worth a go, if that fails worth installing https://splunkbase.splunk.com/app/6368

As this can show app precedence order

| btool ui-prefs list --local

 

View solution in original post

deepakc
Builder

Maybe it’s not taking the settings due to app/config order precendece, run this to see you apps settings

| rest splunk_server=local services/configs/conf-ui-prefs
| rename eai:appName AS app
| table app, disabled, display.events.maxLines, eai:acl.owner, eai:acl.perms.read, eai:acl.perms.write, eai:acl.sharing

 

As these settings is in the search app

MaxLines_Values (YOUR_APP)

(This file needs to be ui-prefs.conf needs to be in the default folder in your app MaxLines_Values, it will then auto place it into local in cloud, make sure you update the version number so Splunk takes the new version as you already have it in there.

/default/ui-prefs.conf

[search]
display.events.maxLines = 20

 

Your meta data needs permissions

metatdata/default.meta

[]
access = read : [ * ], write : [ admin, sc_admin]
export = system

 

I can’t test this as I don't have cloud, but worth a go, if that fails worth installing https://splunkbase.splunk.com/app/6368

As this can show app precedence order

| btool ui-prefs list --local

 

anandhalagaras1
Communicator

@deepakc ,

Thank you. It worked like a charm.

0 Karma

deepakc
Builder

@anandhalagaras1 
Glad it worked mate, and your welcome  

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...