Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

custom help screen

klee310
Communicator
‎05-05-2011 10:41 PM

hi,

I'm trying to setup a custom help screen (via advanceXML) which lists all Tags, Eventtypes, SavedSearches, and Fields extracted for my app.

For Tags, I want the panel to look similar to that of admin_ntags.xml

For Eventtypes, I want the panel to look similar to that of Splunk>Manager>eventtypes

For SavedSearches, I want the panel to look similar to that of Manager>Searches and Reports

...

For all listings in each panel, I would obviously remove the App column because I only want to show the Tags/Eventtypes/Saved/Fields associated with this app; as well as removing some non-essential columns such as owner, alert, status, sharing, and action, etc..

I have tried using metadata cmd to find the event(listing), so maybe this can be a search string - but no luck.

I have tried using ServerSideInclude, and include the admin_ntags.xml... but haven't got very far with that.

Any help is greatly appreciated.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎05-07-2011 06:39 PM

There's nothing very easy unfortunately.

1) You might want to download the Splunk Discover app from splunkbase. that app packages its own little search command called "entity". Since it's a custom search command it is written in python so you can read the source and see how it does what it does. And depending on the license the Discover app has you can use the same command in your own app. It can get entities like saved searches and eventtypes, and since it's a search command this means the entities become search result rows and the keys of the entities become fields on the rows. Mileage may vary but if you have a decent grasp of the advanced XML, and you're armed with that command or something similar, you should be able to get there.

2) The EntitySelectLister module is basically a pulldown that can pull it's option elements from entities like saved searches and eventtypes. It's pretty tricky to use and since it doesnt help you render anything about those entities into tables or charts, hardly anybody ever uses it. Worth a mention though cause it's sort of in the same area.

3) You also might look at the manager XML files. All list and edit views in manager are actually controlled by xml files that live in $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/

Although there is really no documentation for that system at all, some people have succeeded in reverse engineering that system to add or modify pages in Manager. Depending on what custom functionality you're trying to achieve, this could be the way to go.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎05-07-2011 06:39 PM

There's nothing very easy unfortunately.

1) You might want to download the Splunk Discover app from splunkbase. that app packages its own little search command called "entity". Since it's a custom search command it is written in python so you can read the source and see how it does what it does. And depending on the license the Discover app has you can use the same command in your own app. It can get entities like saved searches and eventtypes, and since it's a search command this means the entities become search result rows and the keys of the entities become fields on the rows. Mileage may vary but if you have a decent grasp of the advanced XML, and you're armed with that command or something similar, you should be able to get there.

2) The EntitySelectLister module is basically a pulldown that can pull it's option elements from entities like saved searches and eventtypes. It's pretty tricky to use and since it doesnt help you render anything about those entities into tables or charts, hardly anybody ever uses it. Worth a mention though cause it's sort of in the same area.

3) You also might look at the manager XML files. All list and edit views in manager are actually controlled by xml files that live in $SPLUNK_HOME/etc/apps/search/default/data/ui/manager/

Although there is really no documentation for that system at all, some people have succeeded in reverse engineering that system to add or modify pages in Manager. Depending on what custom functionality you're trying to achieve, this could be the way to go.

Reply
Solved! Jump to solution

klee310
Communicator
‎05-07-2011 07:28 PM

3 - actually, my original thought was to try and add the XML from the manager path to my view with the ServerSideInclude module. Apparently, that doesn't work.

I will give the entity module a whirl.

much appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...