Solved: How to manage Searches & Reports in 6.2.0

ufotech · ‎12-11-2014

In 4.3 SPLUNK we had a niche drop-down menue with our saved searches properly grouped.
Therefore we would define collections in default.xml like:

<collection label="Searches &amp; Reports">
    <collection label="FIX">
      <saved source="unclassified" match="FIX" />
    </collection>

It appears that in 6.2.0 all of this has gone. The default.xml is basically empty.

What is the concept now of grouping searches and displaying them in a drop-down menue as opposed to having to switch to the reports-page?

Thanks

chimell · ‎12-12-2014

try it like this :
      If you want to create for example 5 views (reports) you must write 5 queries and use each of them in his own view using xml code . see link : http://student04:8000/en-US/manager/my_app_name/data/ui/views .This is a example of report code xml : 

    <dashboard >
          <label> the label of your report</label>
          <row>
            <panel>
            <title>title of your first panel</title>
            <searchString>enter your search code </searchString>
           <earliestTime> enter your earliest time e.g   -60m@m<earliestTime>
           <latestTime>enter your latest time <latestTime>
           </panel>
   </dashboard>
          Save it as report1 for example

      After creating all your view reports  go to http://student04:8000/en-US/manager/my_app_name/data/ui/nav/default   and write this code : 

      <nav  search_view=" my_app_name " color="#993300">
            <view name="search" default='true' />
            <collection  label="my reports">
                         <view name="report1"/>
                         <view name="report2"/>
                             ……………
            </collection>
    </nav>
    After doing this you must see the drop down menu of your report in the interface of your application.

View solution in original post

chimell · ‎12-12-2014

try it like this :
      If you want to create for example 5 views (reports) you must write 5 queries and use each of them in his own view using xml code . see link : http://student04:8000/en-US/manager/my_app_name/data/ui/views .This is a example of report code xml : 

    <dashboard >
          <label> the label of your report</label>
          <row>
            <panel>
            <title>title of your first panel</title>
            <searchString>enter your search code </searchString>
           <earliestTime> enter your earliest time e.g   -60m@m<earliestTime>
           <latestTime>enter your latest time <latestTime>
           </panel>
   </dashboard>
          Save it as report1 for example

      After creating all your view reports  go to http://student04:8000/en-US/manager/my_app_name/data/ui/nav/default   and write this code : 

      <nav  search_view=" my_app_name " color="#993300">
            <view name="search" default='true' />
            <collection  label="my reports">
                         <view name="report1"/>
                         <view name="report2"/>
                             ……………
            </collection>
    </nav>
    After doing this you must see the drop down menu of your report in the interface of your application.

chimell · ‎04-21-2015

thank for the accepted answer

chimell · ‎04-21-2015

now i need that you vote me

ufotech · ‎12-11-2014

Ok. I found that copying the content into default.xml produces the required result.
It still works in 6.2.0 just the same.
Only the settings were lost in the two-step migration 4.3 - 6.0 - 6.2

How to manage Searches & Reports in 6.2.0

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?