Splunk Search

How to manage Searches & Reports in 6.2.0

ufotech
Explorer

In 4.3 SPLUNK we had a niche drop-down menue with our saved searches properly grouped.
Therefore we would define collections in default.xml like:

<collection label="Searches &amp; Reports">
    <collection label="FIX">
      <saved source="unclassified" match="FIX" />
    </collection>

It appears that in 6.2.0 all of this has gone. The default.xml is basically empty.

What is the concept now of grouping searches and displaying them in a drop-down menue as opposed to having to switch to the reports-page?

Thanks

Tags (2)
1 Solution

chimell
Motivator
try it like this :
      If you want to create for example 5 views (reports) you must write 5 queries and use each of them in his own view using xml code . see link : http://student04:8000/en-US/manager/my_app_name/data/ui/views .This is a example of report code xml : 

    <dashboard >
          <label> the label of your report</label>
          <row>
            <panel>
            <title>title of your first panel</title>
            <searchString>enter your search code </searchString>
           <earliestTime> enter your earliest time e.g   -60m@m<earliestTime>
           <latestTime>enter your latest time <latestTime>
           </panel>
   </dashboard>
          Save it as report1 for example

      After creating all your view reports  go to http://student04:8000/en-US/manager/my_app_name/data/ui/nav/default   and write this code : 

      <nav  search_view=" my_app_name " color="#993300">
            <view name="search" default='true' />
            <collection  label="my reports">
                         <view name="report1"/>
                         <view name="report2"/>
                             ……………
            </collection>
    </nav>
    After doing this you must see the drop down menu of your report in the interface of your application.

View solution in original post

chimell
Motivator
try it like this :
      If you want to create for example 5 views (reports) you must write 5 queries and use each of them in his own view using xml code . see link : http://student04:8000/en-US/manager/my_app_name/data/ui/views .This is a example of report code xml : 

    <dashboard >
          <label> the label of your report</label>
          <row>
            <panel>
            <title>title of your first panel</title>
            <searchString>enter your search code </searchString>
           <earliestTime> enter your earliest time e.g   -60m@m<earliestTime>
           <latestTime>enter your latest time <latestTime>
           </panel>
   </dashboard>
          Save it as report1 for example

      After creating all your view reports  go to http://student04:8000/en-US/manager/my_app_name/data/ui/nav/default   and write this code : 

      <nav  search_view=" my_app_name " color="#993300">
            <view name="search" default='true' />
            <collection  label="my reports">
                         <view name="report1"/>
                         <view name="report2"/>
                             ……………
            </collection>
    </nav>
    After doing this you must see the drop down menu of your report in the interface of your application.

chimell
Motivator

thank for the accepted answer

0 Karma

chimell
Motivator

now i need that you vote me

0 Karma

ufotech
Explorer

Ok. I found that copying the content into default.xml produces the required result.
It still works in 6.2.0 just the same.
Only the settings were lost in the two-step migration 4.3 - 6.0 - 6.2

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...