I have quite a big number of searches and views within an app, and manage them within the "searches & Reports" panel of the manager is not very convenient. I would really like to create sub-folders within the manager view to sort searches and views.
Is there any way to actually do it?
Note that I don't ask how to sort things in the drop down menu within the search app, but really in the "manager/Searches and reports" view (and in the "user interface/views" too).
My question was maybe not clear enough. My need is to organize searches and view internally. Nothing should show up in the application as it is an end-user app, and it should only contains dashboards and stuff, no searches cause end-user don't even know the splunk syntax.
I would love to have a finer granularity on how searches are organized in the manager. Which means not only by application, but also by type, subtype etc. This is just for me, because actually what I am doing is having a naming convention that puts all searches related close one to each other, like this:
prodsummarylog by mn
prodsummaryip by hour
This is very inconvenient because I can't see all the searches related (like all summary search) at once in the manager (have around 50, and should end up with more that 200)
I have two idea that may work:
1°) try to customize the default manager view of splunk, but it is really complicated as the view is generated from js code and is not a static html page.
2°) create a custom app called search manager where I will make dashboards and stuff with what I want, but it may take a some time.
I can't believe that nobody never had this problem in a big application, so I will continue to investigate, but any clue would be greatly appreciated.
You can't create subfolders. But you can take control of how the searches and views display, and build a more organized menu. Here is how you can edit the default navigation for your app: Build Navigation
If you start to use a naming convention for your searches, you can easily categorize them in the navigation
<collection label="Searches & Reports"> <collection label="Alerts"> <saved source="unclassified" match="alert" /> </collection> <collection label="Summary Searches"> <saved source="unclassified" match="summary" /> </collection> <collection label="Dashboard Components"> <saved source="unclassified" match="dashboard" /> </collection> <saved source="unclassified" /> <divider /> <a href="/manager/search/saved/searches">Manage Searches & Reports</a>
Of course, you have a lot of saved searches that you really never want to run. Categorizing them into a sub-menu may be okay, but really, you should simply remove them from the menus altogether. To do that, edit
savedsearches.conf. For each search that you do NOT want on the menu, insert the following:
is_visible = false
For dashboards and views, you can set
isVisible = "False" in the
That's too bad, but I think I may be doing something wrong then?
I have like 3 pages of saved search within my app. Some are used for summary indexing, some are used to display results in views, some are alerts, and some are just sketches.
I don't want to have to add an entry in the navigation menu of my app for all the drafts I create, and I also don't want to have to filter user that doesn't have to see these searches.
Thanks to take time to answer. Unfortunately I can't use this, as I do not want any search to show up in the navigation menu, as it should only contain "macro" dashboards link, and should be high level enough that non-specialist can understand it.
What I am looking for is a way to organize and manage, internally, just for me, the way saved searches are displayed, so I can remember where (in which dashboard for exemple) each saved search is used, and what is its general "theme" (error, draft, summary indexing etc...). things that end user don't want to know about.