How to use lister modules
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How to use lister modules
Use lister modules to add lists to your dashboards. Note that there are two types of listers: entity listers and search listers. Search listers build their lists from searches you run. Entity listers build their lists from REST endpoints. Use entity listers to create lists of users, saved searches or other objects within Splunk. Search listers essentially all work the same -- they are only different cosmetically, so if you'd rather have radio buttons just use SearchRadioLister.
You must first add the chrome and nav for your page:
<view template="dashboard.html">
<label>Lister intro</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
SearchSelectLister
This simple example uses a SearchSelectLister to generate the top 10 sourcetypes with the most data indexed in the last hour. When a user clicks on a sourcetyp in the list, they are redirected to the flashtimeline view which will run a search for just the events from that sourcetype over the past 2 hours.
<module name="HiddenSearch" layoutPanel="panel_row2_col1" group="Drilldowns - 1" autoRun="True">
<param name="search">*</param>
<param name="earliest">-2h</param>
<module name="SearchSelectLister">
<param name="settingToCreate">series_setting</param>
<param name="search">index=_internal</param>
<param name="earliest">-1h</param>
<param name="label">source</param>
<param name="searchWhenChanged">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">series</param>
<param name="value">series</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">$target$</param>
</param>
</param>
<module name="SubmitButton">
<param name="label">Drilldown 1</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
SearchLinkLister
This example is the same as above, except instead of SearchSelectLister it uses SearchLinkLister and ViewRedirector.
<module name="HiddenSearch" layoutPanel="panel_row2_col2" group="Drilldowns - 2" >
<param name="search">*</param>
<param name="earliest">-2h</param>
<module name="SearchLinkLister">
<param name="settingToCreate">series_setting</param>
<param name="search">index=_internal</param>
<param name="earliest">-1h</param>
<param name="searchWhenChanged">True</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">series</param>
<param name="value">series</param>
</list>
</param>
<module name="ConvertToIntention">
<param name="settingToConvert">series_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="sourcetype">$target$</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
EntityLinkLister
This example shows how to use an EntityLinkLister module in your view. This module lets you access configurations and knowledge objects from REST endpoints within Splunk. The below example returns a list of saved searches that are available (via Splunk's permissions system) to the current Splunk user and app. Clicking on the searches in the list runs the search in the default search (flashtimeline) view.
<view template="dashboard.html">
<label>Lister intro</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
</module>
<module name="EntityLinkLister" layoutPanel="panel_row1_col1">
<param name="entityPath">saved/searches</param>
<param name="settingToCreate">savedSearchz</param>
<param name="entityFieldsToDisplay">
<list>
<param name="label">name</param>
<param name="value">name</param>
</list>
</param>
<module name="HiddenSearch" >
<param name="search">| savedsearch "$savedSearch$"</param>
<module name="ConvertToIntention">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="savedSearch">
<param name="fillOnEmpty">True</param>
<param name="value">$savedSearchz$</param>
</param>
</param>
</param>
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</view>
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
Comments
SearchSelectLister and SearchLinkLister doesn't work on my server. The first one doesn't bring anything in the dropdown list. The second one gives me only bullets but no words after them.
Good example.
But as Olauret said we didn't see anythin in the dropdown list.
I think the search command of SearchSelectLister should be
> index=_internal series="*" | dedup series
instead of
> index=_internal
.