All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Advance xml dashboard dispatches search *

pradeepkumarg
Influencer
‎07-19-2016 08:53 AM

We have been observing several searches runnning with the search string as "search *" and narrowed it down to be coming from an advance xml dashboard.

I've tried removing part by part of the dashboard and still see this remaining of the dashboard dispatching a "search *" for the selected time range. Looks like something is mis-configured here and I can not find what. Appreciate any insight any one has on this

<view autoCancelInterval="90" isPersistable="true" isSticky="true" isVisible="true" objectMode="viewconf" onunloadCancelJobs="true" refresh="-1" template="dashboard.html">
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  <module name="SideviewUtils" layoutPanel="appHeader"/>
  <module name="URLLoader" layoutPanel="viewHeader" autoRun="False">
    <module name="TimeRangePicker" autoRun="False">
      <param name="selected">last 4 hours</param> 
        <module name="Button">
          <param name="allowAutoSubmit">False</param>
          <param name="allowSoftSubmit">False</param>
          <param name="label">Submit</param>
          <module name="SearchControls" layoutPanel="mainSearchControls">
             <param name="sections">jobControls export info</param>
          </module>
        </module>
      </module>
   </module>
</view>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-19-2016 09:14 AM

In the navigation bar, go to "Key Techniques > Overview of the Advanced XML". And if you don't have such a page it most likely means you're using the extremely old LGPL version of the app and you should upgrade right away. (The current version of the app is completely free for internal use and if you have any questions just let me know)

That page is quite long, but once you read it you'll understand why this page is dispatching a search * search. In short the SearchControls module requires there to be search results. After all note that it has jobControls and an export button. The Sideview UI framework is simply noticing this, and determining that since you haven't specified anywhere what search should run, that you want it to run search *.

Note: Arguably in this kind of case it should display a big red error message instead of quietly kicking off a search * search, and since there is a giant reboot of Sideview Utils coming this year, this improvement may well happen.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-19-2016 09:14 AM

In the navigation bar, go to "Key Techniques > Overview of the Advanced XML". And if you don't have such a page it most likely means you're using the extremely old LGPL version of the app and you should upgrade right away. (The current version of the app is completely free for internal use and if you have any questions just let me know)

That page is quite long, but once you read it you'll understand why this page is dispatching a search * search. In short the SearchControls module requires there to be search results. After all note that it has jobControls and an export button. The Sideview UI framework is simply noticing this, and determining that since you haven't specified anywhere what search should run, that you want it to run search *.

Note: Arguably in this kind of case it should display a big red error message instead of quietly kicking off a search * search, and since there is a giant reboot of Sideview Utils coming this year, this improvement may well happen.

Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-19-2016 10:49 AM

Thanks Nick..

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...