Splunk Search

How do you organize searches in Splunk?

merritsa
Path Finder

Hello,

We have been creating a lot of searches lately, and would like a way to organize them into submenus. I tried following the documentation

http://www.splunk.com/base/Documentation/4.0.11/Developer/TieViews

But I've not had any luck (I get an error message when I go to https://<server>:<port>/en-US/servicesNS/admin/Search/data/ui/nav?refresh=1.).

The error I get is "The path was not found", with the path in the error.

I'm sure this is really easy to do, but I just don't how. Thanks in advance.

Tags (1)

ftk
Motivator

In regards to your comment, there is a current limitation in Splunk that will let you nest menus only two levels deep. See: http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open/5641#5641

0 Karma

ftk
Motivator

There are three additional ways to reload a view as well as any navigation changes you have made in .../data/nav/ui/default.xml:

1 - Restart splunkwebservice by itself which will keep sessions authenticated, this should be transparent to your users

./splunk restartss

2 - You can make the changes via the manager (Manager > User Interface > Navigation Menus > nav name) by editing the XML there. This will instantly apply any changes you have made.

3 - Click on the splunk logo. See: http://answers.splunk.com/questions/3627/how-can-i-reload-a-view-im-editing-without-restarting-splun...

In regards to your subject line, how to organize saved searches, check out http://www.splunk.com/base/Documentation/4.0.11/Knowledge/Definenavigationforsavedsearchesandreports

You can easily nest your searches manually or based on keywords in the search names. Here is an excerpt from a .../data/nav/ui/default.xml that I have in a simple app:

<nav>
<view name="flashtimeline" default='true' />
<collection label="Dashboards">
    <view name="audio_access"/>
    <view source="unclassified" match="dashboard"/>
    <divider />
</collection>
<collection label="Views">
    <view source="unclassified" />
    <divider />
</collection>
<collection label="Searches &amp; Reports">
    <collection label="Alert Searches" >
        <saved source="unclassified" match="alert:" />
    </collection>
    <collection label="Audio Access" >
        <saved source="unclassified" match="audio" />
    </collection>
    <collection label="Network">
        <saved source="unclassified" match="network" />
    </collection>
    <collection label="Reports">
        <saved source="unclassified" match="report" />
    </collection>
    <collection label="Security">
        <saved source="unclassified" match="security" />
    </collection>
    <collection label="Systems">
        <saved source="unclassified" match="systems" />
    </collection>
    <collection label="Unclassified">
        <saved source="unclassified" />
    </collection>
    <divider />
</collection>

The match="" expression will assign searches to subfolders based on matches in the search's name.

ftk
Motivator

In regards to your comment, there is a current limitation in Splunk that will let you nest menus only two levels deep. See:
http://answers.splunk.com/questions/5311/multi-level-nav-menu-wont-open/5641#5641

0 Karma

merritsa
Path Finder

Thanks for the help! I don't seem able to add a multi-nested search though. In other words, I'd like to use, say, Searches > Security > VPN > results. Here's the config I've tried with no luck:








That just nets me the menus with no searches 😞

0 Karma

ftk
Motivator

@Lowell I believe jrodman remarked in IRC that it might stand for special sauce or similar (my recollection is not clear on the exact phrase). Basically he wasn't sure what it meant 🙂

Lowell
Super Champion

Out of curiosity, do you know what the "ss" in "restartss" means?

0 Karma

jrodman
Splunk Employee
Splunk Employee

Personally I prefer to use a dev system then run 'splunk restart splunkweb'

0 Karma

Lowell
Super Champion

Make sure you are going to your splunkd (internal) port and not your splunkweb http port.

By default, splunkd is on port 8089. I'm also not sure about your /en-US/ at the front of the path, I think that's only for splunkweb, but I could be wrong.

I use the following path to do this on my system:

https://server.domain.com:8089/servicesNS/admin/MyApplicationName/data/ui/nav?refresh=1

Note that he application name is case-sensitive.

As Nick points out below, you can do a massive reload with the following URL: (It can take a minute to come back, so be patient)

http://server.domain.com:8000/debug/refresh

Lowell
Super Champion

It looks like saved searches now how a "_reload" endpoint too. So the debug refresh think works now as of 4.1.4 with saved searches! That's great!

0 Karma

Lowell
Super Champion

@nick, I don't think savedsearches are reloaded by this. (I really wish they were, that would be a very nice feature!)

0 Karma

Lowell
Super Champion

Thanks for the additional info nick!

0 Karma

sideview
SplunkTrust
SplunkTrust

btw, there's a newer and better refresh URL than that one, that refreshes all views plus the nav plus macros/savedsearches etc across all apps.. /debug/refresh

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...