- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a menu item in the search app ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a menu item in the search app ?
Hi, I am trying to create an arborescence of saved search but I have some problems. I would like to have something like that :
Windows
Severity/criticality
--1
--security
--...
--2
--security
--...
--n
--security
--...
Logon fails
...
Linux
same
Cisco
same
But I saw that in Search application it's impossible to have more than 2 levels of sub-menu in the 'Search & Reports' ( http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open ) So I tried to add a new menu item in the bottom of the file SPLUNK/etc/apps/search/default/data/ui/nav/default.xml , but it doesn't appear too.
Is it possible to add a menu item or do something else to classify the saved search ?
Thank for your help and sorry for the possible english mistakes 😃
EDIT : Here's my default.xml
<nav>
<view name="dashboard" default='true' />
<view name="flashtimeline" />
<collection label="Status">
<collection label="Search activity">
<view name="search_status" />
<view name="search_detail_activity" />
<view name="search_user_activity" />
<view name="search_ui_activity" />
</collection>
<collection label="Index activity">
<view name="index_status" />
<view name="index_status_health" />
<view name="indexing_volume" />
</collection>
<collection label="Server activity">
<view name="splunkd_status" />
<view name="splunkweb_status" />
</collection>
<view name="inputs_status" />
<collection label="Scheduler activity">
<view name="scheduler_status" />
<view name="scheduler_user_app" />
<view name="scheduler_savedsearch" />
<view name="scheduler_status_errors" />
<view name="pdf_activity" />
</collection>
</collection>
<collection label="Views">
<view name="charting" />
<divider />
<view source="unclassified" />
<divider />
<a href="https://answers.splunk.commanager/search/data/ui/views">Manage Views</a>
</collection>
<collection label="Searches & Reports">
<collection label="Errors">
<saved source="unclassified" match="error" />
</collection>
<collection label="Admin">
<saved source="unclassified" match="Admin" />
</collection>
<collection label="Inputs">
<saved source="unclassified" match="Inputs" />
</collection>
<divider />
<a href="https://answers.splunk.commanager/search/saved/searches">Manage Searches & Reports</a>
</collection>
<collection label="Windows Criticality">
<collection label="Info">
<saved source="unclassified" match="WCrit0" />
</collection>
</collection>
</nav>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm stupid, I have just seen that I have deleted, I don't know when, my 'WCrit0' saved searches ... So I have created a new one and it works fine.
Sorry for your wasted time =/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question what permissions does your saved search have and what app is that saved search associated with?
Travis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your default.xml looks correct to me. Did you restart splunk after changing the file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please post your default.xml so we can take a look at it.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
