Splunk Search

Organize "Searches & Reports" and "User Interface/Views" with subfolder within apps context

guilhem
Contributor

Hi,

I have quite a big number of searches and views within an app, and manage them within the "searches & Reports" panel of the manager is not very convenient. I would really like to create sub-folders within the manager view to sort searches and views.

Is there any way to actually do it?

Note that I don't ask how to sort things in the drop down menu within the search app, but really in the "manager/Searches and reports" view (and in the "user interface/views" too).

Thanks!


EDIT

My question was maybe not clear enough. My need is to organize searches and view internally. Nothing should show up in the application as it is an end-user app, and it should only contains dashboards and stuff, no searches cause end-user don't even know the splunk syntax.

I would love to have a finer granularity on how searches are organized in the manager. Which means not only by application, but also by type, subtype etc. This is just for me, because actually what I am doing is having a naming convention that puts all searches related close one to each other, like this:

prod_summary_relative time
prod_summary_log by mn
prod_summary_ip by hour
prod_segment_country
prod_segment_browserName
draft_segment_session time

etc...

This is very inconvenient because I can't see all the searches related (like all summary search) at once in the manager (have around 50, and should end up with more that 200)

I have two idea that may work:
1°) try to customize the default manager view of splunk, but it is really complicated as the view is generated from js code and is not a static html page.
2°) create a custom app called search manager where I will make dashboards and stuff with what I want, but it may take a some time.

I can't believe that nobody never had this problem in a big application, so I will continue to investigate, but any clue would be greatly appreciated.

Guilhem

lguinn2
Legend

You can't create subfolders. But you can take control of how the searches and views display, and build a more organized menu. Here is how you can edit the default navigation for your app: Build Navigation

If you start to use a naming convention for your searches, you can easily categorize them in the navigation

  <collection label="Searches &amp; Reports">
    <collection label="Alerts">
      <saved source="unclassified" match="alert" />
    </collection>
    <collection label="Summary Searches">
      <saved source="unclassified" match="summary" />
    </collection>
    <collection label="Dashboard Components">
      <saved source="unclassified" match="dashboard" />
    </collection>
    <saved source="unclassified" />
    <divider />
    <a href="/manager/search/saved/searches">Manage Searches &amp; Reports</a>

Of course, you have a lot of saved searches that you really never want to run. Categorizing them into a sub-menu may be okay, but really, you should simply remove them from the menus altogether. To do that, edit savedsearches.conf. For each search that you do NOT want on the menu, insert the following:

is_visible = false

For dashboards and views, you can set isVisible = "False" in the <dashboard> or <form> or <view> tag.

guilhem
Contributor

Thanks to take time to answer. Unfortunately I can't use this, as I do not want any search to show up in the navigation menu, as it should only contain "macro" dashboards link, and should be high level enough that non-specialist can understand it.

What I am looking for is a way to organize and manage, internally, just for me, the way saved searches are displayed, so I can remember where (in which dashboard for exemple) each saved search is used, and what is its general "theme" (error, draft, summary indexing etc...). things that end user don't want to know about.

0 Karma

lguinn2
Legend

Edited my answer to address your comment.

0 Karma

guilhem
Contributor

That's too bad, but I think I may be doing something wrong then?

I have like 3 pages of saved search within my app. Some are used for summary indexing, some are used to display results in views, some are alerts, and some are just sketches.

I don't want to have to add an entry in the navigation menu of my app for all the drafts I create, and I also don't want to have to filter user that doesn't have to see these searches.

Thanks anyway!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...