Splunk Search

How to create a menu item in the search app ?

ruffieuxlu
New Member

Hi, I am trying to create an arborescence of saved search but I have some problems. I would like to have something like that :

Windows
  Severity/criticality
  --1
    --security
    --...
  --2
    --security
    --...
  --n
    --security
    --...
  Logon fails
  ...

Linux
  same

Cisco
  same

But I saw that in Search application it's impossible to have more than 2 levels of sub-menu in the 'Search & Reports' ( http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open ) So I tried to add a new menu item in the bottom of the file SPLUNK/etc/apps/search/default/data/ui/nav/default.xml , but it doesn't appear too.

Is it possible to add a menu item or do something else to classify the saved search ?

Thank for your help and sorry for the possible english mistakes 😃

EDIT : Here's my default.xml

<nav>
  <view name="dashboard" default='true' />
  <view name="flashtimeline" />
  <collection label="Status">
    <collection label="Search activity">
      <view name="search_status" />
      <view name="search_detail_activity" />
      <view name="search_user_activity" />
      <view name="search_ui_activity" />
    </collection>
    <collection label="Index activity">
      <view name="index_status" />
      <view name="index_status_health" />
      <view name="indexing_volume" />
    </collection>
    <collection label="Server activity">
      <view name="splunkd_status" />
      <view name="splunkweb_status" />
    </collection>
    <view name="inputs_status" />
    <collection label="Scheduler activity">
      <view name="scheduler_status" />
      <view name="scheduler_user_app" />
      <view name="scheduler_savedsearch" />
      <view name="scheduler_status_errors" />
      <view name="pdf_activity" />
    </collection>
  </collection>
  <collection label="Views">
    <view name="charting" />
    <divider />
    <view source="unclassified" />
    <divider />
    <a href="https://answers.splunk.commanager/search/data/ui/views">Manage Views</a>        
  </collection>
  <collection label="Searches &amp; Reports">
    <collection label="Errors">
      <saved source="unclassified" match="error" />
    </collection>
    <collection label="Admin">
      <saved source="unclassified" match="Admin" />
    </collection>
    <collection label="Inputs">
      <saved source="unclassified" match="Inputs" />
    </collection>
    <divider />
    <a href="https://answers.splunk.commanager/search/saved/searches">Manage Searches &amp; Reports</a>        
  </collection>

  <collection label="Windows Criticality">
    <collection label="Info">
      <saved source="unclassified" match="WCrit0" />
    </collection>
  </collection>

</nav>
Tags (4)
0 Karma

ruffieuxlu
New Member

I'm stupid, I have just seen that I have deleted, I don't know when, my 'WCrit0' saved searches ... So I have created a new one and it works fine.

Sorry for your wasted time =/

0 Karma

thall79
Communicator

Question what permissions does your saved search have and what app is that saved search associated with?

Travis.

0 Karma

ftk
Motivator

Your default.xml looks correct to me. Did you restart splunk after changing the file?

ftk
Motivator

Please post your default.xml so we can take a look at it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...