Splunk Search

How to customize the search app search dashboard?

Path Finder

We would like to remind Splunk users to always include an index in their queries. With over 200 indexes it is taxing to search without an index. The idea is to edit the search dashboard in the search app as this is what is most frequently bookmarked.

I've dug around in the search_mrsparkles code for over an hour and can't see to find the code where I could insert a simple div tag with some text to remind the users. I know that it would get overwritten during an upgrade and I am willing to maintain that going forward.

Any pointers?

Thanks!
Paul

0 Karma
1 Solution

Path Finder

Thanks for all of the tips and tricks.

This is what I am going forward with:
append:
.search-name:after{font-size: small; font-weight: bold;background:none; content: "You should always use an index in your query. To understand why visit the Splunk FAQ"}
to:
splunk\share\splunk\search_mrsparkle\exposed\build\css\bootstrap-enterprise.css
I only wish that the link could be clickable, but I'm fine with it as it is.

alt text

View solution in original post

0 Karma

Path Finder

Thanks for all of the tips and tricks.

This is what I am going forward with:
append:
.search-name:after{font-size: small; font-weight: bold;background:none; content: "You should always use an index in your query. To understand why visit the Splunk FAQ"}
to:
splunk\share\splunk\search_mrsparkle\exposed\build\css\bootstrap-enterprise.css
I only wish that the link could be clickable, but I'm fine with it as it is.

alt text

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Modifying the search view's code is no fun whatsoever. Attempt any other route before you go down that rabbit hole... e.g. CSS shenanigans from the outside.

That being said, Have you considered reducing the set of indexes people search by default? Not the searchable indexes, but those that are searched when a user just enters "hello" into the search bar.
That won't protect you from writing index=* explicitly, but it'll at least force the user to think about the index field.

In general, this is best tackled through user education.

0 Karma

Path Finder

@martin_mueller, I agree education is the best approach, so I continued with getting the CSS hack to work.
This is the file I ended up appending to: Splunk\share\splunk\search_mrsparkle\exposed\build\css\bootstrap-enterprise.css using this code:
.search-name:after{font-size: small; font-weight: bold;background:none; content: "You should always use an index in your query. To understand why visit the Splunk FAQ"}
Worked like a champ, and I found out that because this is a global CSS file the reminder shows up in every search bar regardless of the UI app.

ps. We thought about limiting the indexes to a smaller list, but the current expected behavior is that it is searching everything, so it would be harder to communicate that out, rather then using friendly reminders. We also send out weekly reminders to any users that performed a search without an index during the last week.

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Path Finder

Interesting... There are some "creative" ways to use CSS to modify content after the fact. I'll have to try. I think you can also swap out text for an image using CSS.

I'll post back m findings.

(But would still like to know where the source of the search dashboard is...)

0 Karma

SplunkTrust
SplunkTrust

i am not sure how to do it although i vaguely recall an answer to floating around here somewhere so I am positive it will pop up.
with that being said, I will highly recommend to consider roles, who belongs to which role and assign indexes available and indexes searched by default accordingly.
you can limit users to specific indexes and ease the load on the system.
not sure how many users are there and how large is your environment, but I am positive it will be much more helpful then reminding users with a short message.

0 Karma

Path Finder

adonio
Thanks for the quick reply. The idea isn't to restrict who can see what, but to insure that an index is used in the query, and I don't mean index=*. A lot of our users will use Splunk like they do google and just throw in a key word or error message, the idea is to remind them that using an index speeds up the query by a factor of 10. Also I would like to include a link to our Wiki on why it is important and some common indexes that they could be using but aren't.
Cheers,
Paul

0 Karma

SplunkTrust
SplunkTrust

Paul,
i agree that this is super important to define an index at the beginning of search, i do however find it more convenient to restrict them according to their perspective role and security clearance. once you set the indexes searched by default, even if a user ABC searches just for "error" splunk will only search the indexes this user has by default. limiting those indexes by itself, will force users to use index = bla.
i can assure you, that setting the right policies, will benefit your Splunk performance and users satisfaction as they will receive results faster

0 Karma

Motivator

May be you need to check Master.pcss files under $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed folder and try updating the string.

If you just want to show message at time of loading you may add a div to /opt/splunk/share/splunk/search_mrsparkle/templates/pages/app.html

0 Karma