Splunk Search

Organize "Searches & Reports" and "User Interface/Views" with subfolder within apps context

guilhem
Contributor

Hi,

I have quite a big number of searches and views within an app, and manage them within the "searches & Reports" panel of the manager is not very convenient. I would really like to create sub-folders within the manager view to sort searches and views.

Is there any way to actually do it?

Note that I don't ask how to sort things in the drop down menu within the search app, but really in the "manager/Searches and reports" view (and in the "user interface/views" too).

Thanks!


EDIT

My question was maybe not clear enough. My need is to organize searches and view internally. Nothing should show up in the application as it is an end-user app, and it should only contains dashboards and stuff, no searches cause end-user don't even know the splunk syntax.

I would love to have a finer granularity on how searches are organized in the manager. Which means not only by application, but also by type, subtype etc. This is just for me, because actually what I am doing is having a naming convention that puts all searches related close one to each other, like this:

prod_summary_relative time
prod_summary_log by mn
prod_summary_ip by hour
prod_segment_country
prod_segment_browserName
draft_segment_session time

etc...

This is very inconvenient because I can't see all the searches related (like all summary search) at once in the manager (have around 50, and should end up with more that 200)

I have two idea that may work:
1°) try to customize the default manager view of splunk, but it is really complicated as the view is generated from js code and is not a static html page.
2°) create a custom app called search manager where I will make dashboards and stuff with what I want, but it may take a some time.

I can't believe that nobody never had this problem in a big application, so I will continue to investigate, but any clue would be greatly appreciated.

Guilhem

lguinn2
Legend

You can't create subfolders. But you can take control of how the searches and views display, and build a more organized menu. Here is how you can edit the default navigation for your app: Build Navigation

If you start to use a naming convention for your searches, you can easily categorize them in the navigation

  <collection label="Searches &amp; Reports">
    <collection label="Alerts">
      <saved source="unclassified" match="alert" />
    </collection>
    <collection label="Summary Searches">
      <saved source="unclassified" match="summary" />
    </collection>
    <collection label="Dashboard Components">
      <saved source="unclassified" match="dashboard" />
    </collection>
    <saved source="unclassified" />
    <divider />
    <a href="/manager/search/saved/searches">Manage Searches &amp; Reports</a>

Of course, you have a lot of saved searches that you really never want to run. Categorizing them into a sub-menu may be okay, but really, you should simply remove them from the menus altogether. To do that, edit savedsearches.conf. For each search that you do NOT want on the menu, insert the following:

is_visible = false

For dashboards and views, you can set isVisible = "False" in the <dashboard> or <form> or <view> tag.

guilhem
Contributor

Thanks to take time to answer. Unfortunately I can't use this, as I do not want any search to show up in the navigation menu, as it should only contain "macro" dashboards link, and should be high level enough that non-specialist can understand it.

What I am looking for is a way to organize and manage, internally, just for me, the way saved searches are displayed, so I can remember where (in which dashboard for exemple) each saved search is used, and what is its general "theme" (error, draft, summary indexing etc...). things that end user don't want to know about.

0 Karma

lguinn2
Legend

Edited my answer to address your comment.

0 Karma

guilhem
Contributor

That's too bad, but I think I may be doing something wrong then?

I have like 3 pages of saved search within my app. Some are used for summary indexing, some are used to display results in views, some are alerts, and some are just sketches.

I don't want to have to add an entry in the navigation menu of my app for all the drafts I create, and I also don't want to have to filter user that doesn't have to see these searches.

Thanks anyway!

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...