- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- How can I organize reports better for improved vis...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have hundreds of reports (saved searches) which all show up when you click on the Reports tab. How can you better organize reports so they are easily findable by category, similar to how the filters at the top work for "All", "Yours", and "This App's". Is there any way to add a tagging column to filter by the tag? So, the types of filters for example could be: IIS, Audit, SQL, Windows, ULS, etc. Then when the respective tag is selected only those reports would show up.
Any help would be great, I've done a fair share of Googling and couldn't find anything except creating new dropdowns at the top, but that seems inefficient especially when new reports are created.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Altering the Report view (tab) would be difficult to maintain through upgrades. What I have seen people do is two fold, and it does take a bit of work to implement.
What you're talking about is socializing the concept of a naming convention... in the form of a prefix or suffix when people name saved searches. You then build your own "Tabs" on the navigation menu:
Change to the app who's menu you would like to alter:
Then select: settings>user interface>Navigation Menus>default
By default you see something that looks like this:
<nav search_view="search" color="#65A637">
<view name="search" default="true" />
<view name="datasets" />
<view name="reports" />
<view name="alerts" />
<view name="dashboards" />
</nav>
Insert the following before the closing </nav> tag (replacing "error" with your match txt) :
<nav search_view="search" color="#65A637">
<view name="search" default="true" />
<view name="datasets" />
<!-- Dynamically list all reports with the word "error"-->
<collection label="Reports (errors)">
<saved source="all" match="error"/>
</collection>
<!-- Dynamically list all unclassified reports -->
<collection label="Others">
<saved source="unclassified" />
</collection>
<view name="alerts" />
<view name="dashboards" />
</nav>
You'll find further detail here:
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEP9
So while you probably could dig under the hood and alter the Report Tab (which in the end, is just a view) it's better to get folks to use a known key word in their report names... and have it automagically picked up by the dropdown that will appear in the menu. (you can do this with dashboards too)
To affect the existing reports, folks would have to save them again with the new name (best way to get people familiar with the new process and have them WANT to have their stuff listed.) It also makes it easy for you to run reports and see who hasn't changed their stuff so you can see if they still care about it or if it's just noise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Altering the Report view (tab) would be difficult to maintain through upgrades. What I have seen people do is two fold, and it does take a bit of work to implement.
What you're talking about is socializing the concept of a naming convention... in the form of a prefix or suffix when people name saved searches. You then build your own "Tabs" on the navigation menu:
Change to the app who's menu you would like to alter:
Then select: settings>user interface>Navigation Menus>default
By default you see something that looks like this:
<nav search_view="search" color="#65A637">
<view name="search" default="true" />
<view name="datasets" />
<view name="reports" />
<view name="alerts" />
<view name="dashboards" />
</nav>
Insert the following before the closing </nav> tag (replacing "error" with your match txt) :
<nav search_view="search" color="#65A637">
<view name="search" default="true" />
<view name="datasets" />
<!-- Dynamically list all reports with the word "error"-->
<collection label="Reports (errors)">
<saved source="all" match="error"/>
</collection>
<!-- Dynamically list all unclassified reports -->
<collection label="Others">
<saved source="unclassified" />
</collection>
<view name="alerts" />
<view name="dashboards" />
</nav>
You'll find further detail here:
http://dev.splunk.com/view/webframework-developapps/SP-CAAAEP9
So while you probably could dig under the hood and alter the Report Tab (which in the end, is just a view) it's better to get folks to use a known key word in their report names... and have it automagically picked up by the dropdown that will appear in the menu. (you can do this with dashboards too)
To affect the existing reports, folks would have to save them again with the new name (best way to get people familiar with the new process and have them WANT to have their stuff listed.) It also makes it easy for you to run reports and see who hasn't changed their stuff so you can see if they still care about it or if it's just noise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about a dynamic drop down menu which matches based on a standard naming convention for your reports? When a new report is created it will automatically be added to the menu. e.g.
<collection label="REPORT_TYPE1">
<collection label="REPORT_NAME_SQLs">
<saved source="unclassified" match="SQL" />
</collection>
<collection label="REPORT_NAME_2">
<saved source="unclassified" match="NAME" />
</collection>
</collection>
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
