All Apps and Add-ons

OSSEC app needs a fix - too much global exporting

Michael_Wilde
Splunk Employee
Splunk Employee

Thanks for making this app. Views and nav bar collide in other apps.

0 Karma
1 Solution

southeringtonp
Motivator

Clobbering of the Nav menu is clearly a significant bug and will be fixed.

As you noted, the short-term fix is to go in and re-scope it manually. People who have customized their default nav menu in search or elsewhere typically won't be affected, which is probably why it wasn't noticed sooner.

Much of the global exporting is quite intentional. We have users who want access to OSSEC information through the search app. That includes saved searches, views, lookups, and search commands (i.e., most of the app).

Regardless, the scoping is something that has been on the radar to tighten down, or possibly provided as an install-time option. It's a significant enough change that it won't be done before th a 1.2 release of the app, which will hopefully come reasonably soon.

Setting the Nav menu aside, as you noted, there are a few cases where this sort of thing crops up elsewhere, particularly for saved searches and views. Any app that needs to share elements outside itself has this problem, and is going to pollute other app menus. For now, the safest approach is for any app other than search to be very specific when defining its own nav.xml.

I've been meaning to file an ER to ask for a way to scope across multiple apps without resorting to global. Perhaps you and any others who've been bitten by this could make a similar request?

View solution in original post

southeringtonp
Motivator

Clobbering of the Nav menu is clearly a significant bug and will be fixed.

As you noted, the short-term fix is to go in and re-scope it manually. People who have customized their default nav menu in search or elsewhere typically won't be affected, which is probably why it wasn't noticed sooner.

Much of the global exporting is quite intentional. We have users who want access to OSSEC information through the search app. That includes saved searches, views, lookups, and search commands (i.e., most of the app).

Regardless, the scoping is something that has been on the radar to tighten down, or possibly provided as an install-time option. It's a significant enough change that it won't be done before th a 1.2 release of the app, which will hopefully come reasonably soon.

Setting the Nav menu aside, as you noted, there are a few cases where this sort of thing crops up elsewhere, particularly for saved searches and views. Any app that needs to share elements outside itself has this problem, and is going to pollute other app menus. For now, the safest approach is for any app other than search to be very specific when defining its own nav.xml.

I've been meaning to file an ER to ask for a way to scope across multiple apps without resorting to global. Perhaps you and any others who've been bitten by this could make a similar request?

southeringtonp
Motivator

This is really great to hear. Presumably we're looking at at least the next major release before the architectural changes make it through the door (??), but it could be a huge help. Ironically, thinking back, part of the reason the nav.xml issue didn't show up on our systems is because we'd customized the menu in search to clean up entries bleeding through from other apps and push them into submenus.

0 Karma

Michael_Wilde
Splunk Employee
Splunk Employee

Agree. Some of Splunk's own apps such as Cisco Security (which is comprised of a bunch of "mini-apps" that have nav's, views, & searches need to be exported globally--which pollutes other apps. Apps are undergoing a number of architectural feature scoping--to include permissions and dependencies (as i personally NEED dependencies to work for some stuff I am doing). Thank you for supporting Splunk and being a part of our community.

0 Karma

gfriedmann
Communicator

Dude. Awesome format. Rock!

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...