Dashboards & Visualizations

Surprising behavior of nav collections of saved searches

Wilcooley
Path Finder

I have collections with matches that overlap; for example, I might have an 'SMTP Errors' search that would match both <saved match="SMTP"> and <saved match="Errors"> in different collections. Clearly this is what the attribute source="all" is for, versus source="unclassified".

What is surprising, however, is that searches that have matched with source="all" will, later in the XML, also match a source="classified", so that the catch-all at the end of the default nav menu, "<saved source="unclassified">", includes the searches that have been included in collection. I would expect that they would not match the latter. It sorta defeats the point of making collections, doesn't it?

Am I missing something here? Is this a known bug or is this actually desirable behavior for some use case that I cannot think of?

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

This is deliberate. The assumption is that if you're using all, then using any other sources or matches later, that all should not consume all the items. If you use source="all", and it did consume all matches, then all subsequent collections will be empty. I'm not sure why that behavior would be useful.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This is deliberate. The assumption is that if you're using all, then using any other sources or matches later, that all should not consume all the items. If you use source="all", and it did consume all matches, then all subsequent collections will be empty. I'm not sure why that behavior would be useful.

0 Karma

Wilcooley
Path Finder

Do I understand correctly then that it is not possible to have items that appear in multiple collections using match but do not appear in the final catch-all of unclassified items?

I cannot see why the case you present would be useful either, but that seems like a degenerate case, like using "DELETE * FROM table" in SQL--both meant to be paired with a filter, using match in this case.

Perhaps implicit in your answer is that source="all" would consume all of the items before the match is supplied? That would also be surprising.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...