How to use lister modules
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How to use lister modules
<view template="dashboard.html">
<label>Lister intro</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
SearchSelectLister
This simple example uses a complex SearchSelectLister that generates the 10 sourcetypes with the most data indexed in the last hour. The user can then pick one and then we redirect them to flashtimeline and run a search for just the events from that sourcetype, this time over the past 2 hours.
our base search will just be "*", over the past 2 hours
<module name="HiddenSearch" layoutPanel="panel_row2_col1" group="Drilldowns - 1" autoRun="True">
<param name="search">*</param>
<param name="earliest">-2h</param>
<module name="SearchSelectLister">
<param name="settingToCreate">series_setting</param>
<param name="search">index=_internal metrics NOT source="*web_service.log" NOT source="*access.log" NOT source="*/searches.log" NOT source="*intentions.log" NOT source="*splunkd.log" group="per_sourcetype_thruput" | chart sum(kb) over series | sort -sum(kb) | head 10 | sort series</param>
<param name="earliest">-1h</param>
<param name="label">source</param>
<param name="searchWhenChanged">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">series</param>
<param name="value">series</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">$target$</param>
</param>
</param>
<module name="SubmitButton">
<param name="label">Drilldown 1</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
SearchLinkLister
This example is the same except instead of SearchSelectLister we use SearchLinkLister and ViewRedirector. The takeaway is that the listers are all interchangeable. ie if you'd rather have radio buttons just use SearchRadioLister.
<module name="HiddenSearch" layoutPanel="panel_row2_col2" group="Drilldowns - 2" >
<param name="search">*</param>
<param name="earliest">-2h</param>
<module name="SearchLinkLister">
<param name="settingToCreate">series_setting</param>
<param name="search">index=_internal metrics NOT source="*web_service.log" NOT source="*access.log" NOT source="*/searches.log" NOT source="*intentions.log" NOT source="*splunkd.log" | chart sum(kb) over series | sort -sum(kb) | head 10 | sort series</param>
<param name="earliest">-1h</param>
<param name="searchWhenChanged">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">series</param>
<param name="value">series</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">$target$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
This example uses a SearchSelectLister to give the list of indexes. Then a second SearchSelectLister generates a link for each sourcetype within the chosen index.
</param>
</module>
<module name="StaticContentSample" layoutPanel="panel_row3_col1">
<param name="text">
Then when the user chooses a sourcetype from the second pulldown we will construct a third search for index="foo" sourcetype="bar". When the user clicks the SubmitButton module this search will travel down, hit a module called ViewRedirector, and off the user goes.
</param>
</module>
<module name="StaticContentSample" layoutPanel="panel_row3_col1">
<param name="text">
Just for fun we also have configured the ViewRedirector module to launch a popup window, and instead of flashtimeline we use a simple stripped down view that we made just for this app.
</param>
</module>
<module name="SearchSelectLister" layoutPanel="panel_row3_col1" group="Drilldowns - 3">
<param name="label">which index</param>
<param name="settingToCreate">index_setting</param>
<param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>
<param name="searchWhenChanged">True</param>
<param name="selected">main</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">index</param>
<param name="value">index</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">index_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="index">
<param name="fillOnEmpty">True</param>
<param name="prefix">index=</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SearchSelectLister">
<param name="label">Sourcetype</param>
<param name="settingToCreate">sourcetype_setting</param>
<param name="search">| metadata type="sourcetypes" $index$</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">sourcetype</param>
<param name="value">sourcetype</param>
</list>
</param>
<module name="HiddenSearch">
<param name="search">$index$ $sourcetype$</param>
<module name="ConvertToIntention">
<param name="settingToConvert">sourcetype_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="sourcetype">
<param name="fillOnEmpty">True</param>
<param name="prefix">sourcetype=</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SubmitButton">
<param name="label">Search</param>
<module name="ViewRedirector">
<param name="viewTarget">really_simple_viewer</param>
<param name="popup">True</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="SearchSelectLister" layoutPanel="panel_row3_col2" group="Drilldowns - 4">
<param name="label">which index</param>
<param name="settingToCreate">index_setting</param>
<param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>
<param name="searchWhenChanged">True</param>
<param name="selected">main</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">index</param>
<param name="value">index</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">index_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="index">
<param name="fillOnEmpty">True</param>
<param name="prefix">index=</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="SearchLinkLister">
<param name="settingToCreate">sourcetype_setting</param>
<param name="search">| metadata type="sourcetypes" $index$</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">sourcetype</param>
<param name="value">sourcetype</param>
</list>
</param>
<module name="HiddenSearch">
<param name="search">$index$ $sourcetype$</param>
<module name="ConvertToIntention">
<param name="settingToConvert">sourcetype_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="sourcetype">
<param name="fillOnEmpty">True</param>
<param name="prefix">sourcetype=</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
Now we take a bunch of leaps ahead and put it all together. We put in a Sorter module, a Paginator module. We put in a HiddenSearch+SimpleResultsHeader pattern to give us 'Sources (208)'. Then we duplicate the same pattern for both Sourcetypes and Hosts.
<module name="SearchSelectLister" layoutPanel="panel_row4_col1" group="Drilldowns - 5">
<param name="label">which index</param>
<param name="settingToCreate">index_setting</param>
<param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>
<param name="searchWhenChanged">True</param>
<param name="selected">main</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">index</param>
<param name="value">index</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">index_setting</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="index">
<param name="fillOnEmpty">True</param>
<param name="prefix">index=</param>
<param name="value">$target$</param>
</param>
</param>
</param>
<module name="HiddenSearch">
<param name="search">| metadata type=sources $index$</param>
<module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp1">
<param name="entityName">results</param>
<param name="headerFormat">Sources (%(count)s)</param>
</module>
</module>
<module name="HiddenSearch">
<param name="search">| metadata type=sourcetypes $index$</param>
<module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp2">
<param name="entityName">results</param>
<param name="headerFormat">Sourcetypes (%(count)s)</param>
</module>
</module>
<module name="HiddenSearch">
<param name="search">| metadata type=hosts $index$</param>
<module name="SimpleResultsHeader" layoutPanel="panel_row4_col1_grp3">
<param name="entityName">results</param>
<param name="headerFormat">Hosts (%(count)s)</param>
</module>
</module>
<module name="Sorter" layoutPanel="panel_row4_col1_grp1">
<param name="sortKey">totalCount</param>
<param name="sortDir">desc</param>
<param name="fields">
<list>
<param name="label">Source</param>
<param name="value">source</param>
</list>
<list>
<param name="label">Total Count</param>
<param name="value">totalCount</param>
</list>
<list>
<param name="label">First Time</param>
<param name="value">firstTime</param>
</list>
</param>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">settings</param>
<param name="maxPages">10</param>
<module name="SearchLinkLister">
<param name="settingToCreate">list1</param>
<param name="search">| metadata type=sources $index$</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">source</param>
<param name="value">source</param>
</list>
<list>
<param name="label">totalCount</param>
<param name="labelFormat">number</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">index_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="index">$target$</param>
</param>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">list1</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="source">$target$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="Sorter" layoutPanel="panel_row4_col1_grp2">
<param name="sortKey">totalCount</param>
<param name="sortDir">desc</param>
<param name="fields">
<list>
<param name="label">Sourcetype</param>
<param name="value">sourcetype</param>
</list>
<list>
<param name="label">Total Count</param>
<param name="value">totalCount</param>
</list>
<list>
<param name="label">First Time</param>
<param name="value">firstTime</param>
</list>
</param>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">settings</param>
<param name="maxPages">10</param>
<module name="SearchLinkLister">
<param name="settingToCreate">list1</param>
<param name="search">| metadata type=sourcetypes $index$</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">sourcetype</param>
<param name="value">sourcetype</param>
</list>
<list>
<param name="label">totalCount</param>
<param name="labelFormat">number</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">index_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="index">$target$</param>
</param>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">list1</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">$target$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
<module name="Sorter" layoutPanel="panel_row4_col1_grp3">
<param name="sortKey">totalCount</param>
<param name="sortDir">desc</param>
<param name="fields">
<list>
<param name="label">Host</param>
<param name="value">host</param>
</list>
<list>
<param name="label">Total Count</param>
<param name="value">totalCount</param>
</list>
<list>
<param name="label">First Time</param>
<param name="value">firstTime</param>
</list>
</param>
<module name="Paginator">
<param name="count">10</param>
<param name="entityName">settings</param>
<param name="maxPages">10</param>
<module name="SearchLinkLister">
<param name="settingToCreate">list1</param>
<param name="search">| metadata type=hosts $index$</param>
<param name="applyOuterIntentionsToInternalSearch">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">host</param>
<param name="value">host</param>
</list>
<list>
<param name="label">totalCount</param>
<param name="labelFormat">number</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">index_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="index">$target$</param>
</param>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">list1</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="host">$target$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module> </module>
</pre>
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 , 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
Do we need to remove
search index!="splunklogger"
as of release 4.1.4?