Solved: How can I automatically create a view based on xml...

mbpenney · ‎05-23-2013

How can I automatically create a view based on xml in /views folder?

example:
put xml file in here.
$SPLUNK_HOME/etc/apps//local/data/ui/views/

I want to avoid having to create a view using Splunk Web GUI every time. I would prefer to dump the custom xml and have the view automatically created. I also want to avoid using additional Splunk Apps.

It doesn't seem like xml can be dumped into the folder and simply point to the view url. There is still backend Splunk creation that needs to take place currently for this to work.

Example:
When I dump xml in folder I want to be able to simply go to a url: splunkur:8000/en-GB/app/search/xml-view-name-here

Update:

Based on Drainy's post, dumping xml files into the view folder DOES work, however the cache needs to re-read or re-indexed.

The simple solution right now is: click the app logo top left to re-read the cache (but this is obviously not the most desired solution).

The real solution: force a re-read of the xml cache (or whatever cache in splunk web backend).

Note
Looking into this more and hoping that Drainy will provide the python script!

Will the python script be something I can trigger to run into the nix cli?

For example: As it stands I have a trigger set when I dump my new csv file and new xml into splunk folders, I force a re-index with the oneshot splunk command. Will the scenario be the same for the python script?

Greatly appreciated!

Drainy · ‎05-24-2013

The issue here is that Splunk creates a cache of all XML files which is what it is loading when you view a dashboard. If you edit XML directly or drop a new file in it won't re read that until you force it to reload its cache.
In the current version I believe clicking on the app logo in the top left will cause it to re-read, alternatively you can also hit;
http://SERVERURL:8000/en-US/debug/refresh?entity=/admin/views

Which will force a refresh. Finally you can use a python script with the SDK that Splunk packages along with the build of Python to refresh the cache programatically. I don't have the code to hand at the moment but let me know if this is what you're after and I'll dig it out.

EDIT:
So what you could do is write a python script that checks for certain files or if the count of files in a directory changes - you can find great examples of this on Stackoverflow.com. To enable this you can then call this script on a regular interval in inputs.conf and pass it an admin session key like so;

[script://$SPLUNK_HOME\etc\apps\APPNAME\bin\SCRIPTNAME.py]
disabled = false
interval = 15
passAuth = admin

In the script you then can use;

import splunk.rest
sessionKey = sys.stdin.read().strip()
splunk.rest.simpleRequest("/servicesNS/nobody/APPNAME/data/ui/views/_reload", sessionKey = sessionKey)

But obviously you can build some logic around that.

View solution in original post

Drainy · ‎05-24-2013

The issue here is that Splunk creates a cache of all XML files which is what it is loading when you view a dashboard. If you edit XML directly or drop a new file in it won't re read that until you force it to reload its cache.
In the current version I believe clicking on the app logo in the top left will cause it to re-read, alternatively you can also hit;
http://SERVERURL:8000/en-US/debug/refresh?entity=/admin/views

Which will force a refresh. Finally you can use a python script with the SDK that Splunk packages along with the build of Python to refresh the cache programatically. I don't have the code to hand at the moment but let me know if this is what you're after and I'll dig it out.

EDIT:
So what you could do is write a python script that checks for certain files or if the count of files in a directory changes - you can find great examples of this on Stackoverflow.com. To enable this you can then call this script on a regular interval in inputs.conf and pass it an admin session key like so;

[script://$SPLUNK_HOME\etc\apps\APPNAME\bin\SCRIPTNAME.py]
disabled = false
interval = 15
passAuth = admin

In the script you then can use;

import splunk.rest
sessionKey = sys.stdin.read().strip()
splunk.rest.simpleRequest("/servicesNS/nobody/APPNAME/data/ui/views/_reload", sessionKey = sessionKey)

But obviously you can build some logic around that.

Drainy · ‎05-24-2013

See my updated answer above

mbpenney · ‎05-24-2013

thank you, this answered the issue I was facing. I've updated my original post, I could most definitely use that script to force a re-cache of the xml files!

lguinn2 · ‎05-23-2013

The problem may be that the file is not listed in the .../apps/search/metadata/local.meta file

There are several alternatives:

Create the view with the GUI and then replace the XML file with the custom file that you create. This will create the contextual metadata such as ownership and permissions, but you can change the XML of the view at will.
Write a program or script that uses the Splunk API to create the view.

mbpenney · ‎05-24-2013

Thank you for the response, greatly appreciated! in my implementation I require multiple xml files, appending the xml file linked to the view will not provide the right solution for me.

Drainy · ‎05-24-2013

This shouldn't be an issue in this case, when Splunk rebuilds its cache it will use the app defaults if there is no detail in the local.meta file

chris · ‎05-23-2013

This should work, I have just tried this on a Splunk 5.02 instance. What kind of error do you get with your environment?

How can I automatically create a view based on xml in /views folder?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life