How Do I display default search app in my app?
http://mjserver:8000/en-US/app/search/dashboard_live
Within my app I want to show dashboard_live and display all data(SourceType, source, host, etc..) related to my apps only
Thanks
You should probably start by looking the properties of the XML that is generating the "dashboard_live" view, this will show you what searches/saved searches have been used to populate the tables.
You should start with the XML, you can do this quickly from the dashboard_live view by adding "?showsource=1
" to the end of the URL, e.g.
http://mjserver:8000/en-US/app/serach/dashboard_live?showsource=1
After doing this, you have the raw XML that can used to copy into a new view within your own app. Or more simply... You can also clone the dashboard_live view via the manager (Manager >> User Interface >> Views >> clone
dashboard_live to your app with a new name), and then modify the searches in the newly cloned view, to filter results as per your requirements.
I would not recommend changing Splunks's view/searches directly, I would simply "copy and paste" into a new view/search.
It's not a particularly hard task, but you will just need to filter out your app's events in the searches (perhaps by adding a relevant index in the search or specific source/sourcetype/host combinations, where appropriate).
Hope this helps,
MHibbin
You should probably start by looking the properties of the XML that is generating the "dashboard_live" view, this will show you what searches/saved searches have been used to populate the tables.
You should start with the XML, you can do this quickly from the dashboard_live view by adding "?showsource=1
" to the end of the URL, e.g.
http://mjserver:8000/en-US/app/serach/dashboard_live?showsource=1
After doing this, you have the raw XML that can used to copy into a new view within your own app. Or more simply... You can also clone the dashboard_live view via the manager (Manager >> User Interface >> Views >> clone
dashboard_live to your app with a new name), and then modify the searches in the newly cloned view, to filter results as per your requirements.
I would not recommend changing Splunks's view/searches directly, I would simply "copy and paste" into a new view/search.
It's not a particularly hard task, but you will just need to filter out your app's events in the searches (perhaps by adding a relevant index in the search or specific source/sourcetype/host combinations, where appropriate).
Hope this helps,
MHibbin