Hi, I am trying to create an arborescence of saved search but I have some problems. I would like to have something like that :
Windows
Severity/criticality
--1
--security
--...
--2
--security
--...
--n
--security
--...
Logon fails
...
Linux
same
Cisco
same
But I saw that in Search application it's impossible to have more than 2 levels of sub-menu in the 'Search & Reports' ( http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open ) So I tried to add a new menu item in the bottom of the file SPLUNK/etc/apps/search/default/data/ui/nav/default.xml , but it doesn't appear too.
Is it possible to add a menu item or do something else to classify the saved search ?
Thank for your help and sorry for the possible english mistakes 😃
EDIT : Here's my default.xml
<nav>
<view name="dashboard" default='true' />
<view name="flashtimeline" />
<collection label="Status">
<collection label="Search activity">
<view name="search_status" />
<view name="search_detail_activity" />
<view name="search_user_activity" />
<view name="search_ui_activity" />
</collection>
<collection label="Index activity">
<view name="index_status" />
<view name="index_status_health" />
<view name="indexing_volume" />
</collection>
<collection label="Server activity">
<view name="splunkd_status" />
<view name="splunkweb_status" />
</collection>
<view name="inputs_status" />
<collection label="Scheduler activity">
<view name="scheduler_status" />
<view name="scheduler_user_app" />
<view name="scheduler_savedsearch" />
<view name="scheduler_status_errors" />
<view name="pdf_activity" />
</collection>
</collection>
<collection label="Views">
<view name="charting" />
<divider />
<view source="unclassified" />
<divider />
<a href="https://answers.splunk.commanager/search/data/ui/views">Manage Views</a>
</collection>
<collection label="Searches & Reports">
<collection label="Errors">
<saved source="unclassified" match="error" />
</collection>
<collection label="Admin">
<saved source="unclassified" match="Admin" />
</collection>
<collection label="Inputs">
<saved source="unclassified" match="Inputs" />
</collection>
<divider />
<a href="https://answers.splunk.commanager/search/saved/searches">Manage Searches & Reports</a>
</collection>
<collection label="Windows Criticality">
<collection label="Info">
<saved source="unclassified" match="WCrit0" />
</collection>
</collection>
</nav>
I'm stupid, I have just seen that I have deleted, I don't know when, my 'WCrit0' saved searches ... So I have created a new one and it works fine.
Sorry for your wasted time =/
Question what permissions does your saved search have and what app is that saved search associated with?
Travis.
Your default.xml looks correct to me. Did you restart splunk after changing the file?
Please post your default.xml so we can take a look at it.