Splunk Search

Organize "Searches & Reports" and "User Interface/Views" with subfolder within apps context



I have quite a big number of searches and views within an app, and manage them within the "searches & Reports" panel of the manager is not very convenient. I would really like to create sub-folders within the manager view to sort searches and views.

Is there any way to actually do it?

Note that I don't ask how to sort things in the drop down menu within the search app, but really in the "manager/Searches and reports" view (and in the "user interface/views" too).



My question was maybe not clear enough. My need is to organize searches and view internally. Nothing should show up in the application as it is an end-user app, and it should only contains dashboards and stuff, no searches cause end-user don't even know the splunk syntax.

I would love to have a finer granularity on how searches are organized in the manager. Which means not only by application, but also by type, subtype etc. This is just for me, because actually what I am doing is having a naming convention that puts all searches related close one to each other, like this:

prod_summary_relative time
prod_summary_log by mn
prod_summary_ip by hour
draft_segment_session time


This is very inconvenient because I can't see all the searches related (like all summary search) at once in the manager (have around 50, and should end up with more that 200)

I have two idea that may work:
1°) try to customize the default manager view of splunk, but it is really complicated as the view is generated from js code and is not a static html page.
2°) create a custom app called search manager where I will make dashboards and stuff with what I want, but it may take a some time.

I can't believe that nobody never had this problem in a big application, so I will continue to investigate, but any clue would be greatly appreciated.



You can't create subfolders. But you can take control of how the searches and views display, and build a more organized menu. Here is how you can edit the default navigation for your app: Build Navigation

If you start to use a naming convention for your searches, you can easily categorize them in the navigation

  <collection label="Searches &amp; Reports">
    <collection label="Alerts">
      <saved source="unclassified" match="alert" />
    <collection label="Summary Searches">
      <saved source="unclassified" match="summary" />
    <collection label="Dashboard Components">
      <saved source="unclassified" match="dashboard" />
    <saved source="unclassified" />
    <divider />
    <a href="/manager/search/saved/searches">Manage Searches &amp; Reports</a>

Of course, you have a lot of saved searches that you really never want to run. Categorizing them into a sub-menu may be okay, but really, you should simply remove them from the menus altogether. To do that, edit savedsearches.conf. For each search that you do NOT want on the menu, insert the following:

is_visible = false

For dashboards and views, you can set isVisible = "False" in the <dashboard> or <form> or <view> tag.


Thanks to take time to answer. Unfortunately I can't use this, as I do not want any search to show up in the navigation menu, as it should only contain "macro" dashboards link, and should be high level enough that non-specialist can understand it.

What I am looking for is a way to organize and manage, internally, just for me, the way saved searches are displayed, so I can remember where (in which dashboard for exemple) each saved search is used, and what is its general "theme" (error, draft, summary indexing etc...). things that end user don't want to know about.

0 Karma


Edited my answer to address your comment.

0 Karma


That's too bad, but I think I may be doing something wrong then?

I have like 3 pages of saved search within my app. Some are used for summary indexing, some are used to display results in views, some are alerts, and some are just sketches.

I don't want to have to add an entry in the navigation menu of my app for all the drafts I create, and I also don't want to have to filter user that doesn't have to see these searches.

Thanks anyway!

0 Karma
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...