Module reference

Module reference

Nav

AccountBar

(extends Splunk.Module) The bar at the top of most views, that contains the logo, says logged in as <user>, and contains the logout and admin links.

required params

(none)

optional params

• cancelJobsOnLogoClick = True | False
  • Controls if a click on the app logo cancels all jobs or not.
  • defaults to: True
• mode = popup | full | lite
  • When this is set to 'popup,' there are no links, the logo cannot be clicked, the view name is displayed instead of the app name, and there is a close button in the upper right. 'lite' mode displays only the account links and a back link, no logo or app menu.
  • defaults to: full

AppBar

(extends Splunk.Module) This is the bar second from the top in most views. It contains the top level view categories (by default Dashboards Views Saved Searches), and the auxiliary links section (help | preferences | about).

required params

(none)

optional params

(none)

BreadCrumb

(extends Splunk.Module) Simple navigation breadcrumb for a multi-view flow.

required params

(none)

optional params

• goBackOnJobCancelled = True | False
  • If True, whenever any job on the current page is cancelled the module will take the user away from the current view. If the module has no 'earlier' links, it will go to the default view in the current app. If the module does have a link to an 'earlier' view then it will go there. At that point it will make an effort to commit outstanding viewstate changes, swap out the (now dead) 'sid' for a corresponding 'q' arg in the permalink, and preserve any other existing querystring arguments.
  • defaults to: False
• options
  • This is a list of views to link to as well as labels for the links. When absent, the Breadcrumb module can still print out the saved search name, or saved report name.

ManagerBar

(extends Splunk.Module) This is a header bar that shows up at the top of the view. Used specifically in Splunk Manager. When present in any view, it will display a header of "Manager: <view name>".

required params

(none)

optional params

(none)

TitleBar

(extends Splunk.Module) Control menu/actions menu. This module is persistent, and contains information such as the name of the dashboard, the name of the view, or the name of the view and associated saved search. The titlebar functions as a place for contextual actions, like saving a new search that has been run after loading a view.

required params

(none)

optional params

• actionsMenuFilter
  • Sets the filter on which action menu items to show.
  • defaults to: False
• showActionsMenu = True | False
  • Toggle whether or not to show the actions menu.
  • defaults to: True

Messaging

GenericHeader

(extends Splunk.Module) This simple module just displays the configured text as a header element on the page.

required params

• label
  • this is the text of the header

optional params

(none)

Message

(extends DispatchingModule) This module can display all messages to the user, or can be configured to display just a certain class of messages. Messages might come from searches, from alerts firing, from misconfiguration on the backend, from information about indexing status etc. The simplest configuration is a single Message instance with filter set to '*' -- meaning it will display all the messages broadcast. However, you can use multiple Message modules with different 'filter' params displayed in separate layout panels throughout a view. Messages are passed with a defined class, such as splunk.search.error. So if you have two Message instances, one configured with a filter of '*', and another with a filter of splunk.search, the latter will receive the splunk.search.error events, and the "*" instance will not. However when an unexpected message is passed down with the class of splunk.indexing.warn, the splunk.search instance will not display it but the the '*' instance will.

required params

• clearOnJobDispatch
  • Set to True to clear messages whenever a new search is dispatched.
• filter
  • Specify a filter to listen to only certain classes of messages. When blank, the module displays all the messages broadcast.
• maxSize
  • Set the number of messages to display before throwing away the oldest ones.

optional params

• default
  • When present, the module loads with this value showing.

Search

ExtendedFieldSearch

(extends FieldSearch) The basis for the form elements that add or remove intentions.

required params

• field
  • Use this to specify a field (such as a sourcetype, clientip, or any other valid field) to scope results.

optional params

• default
  • This is the default value that will appear in the text field.
• intention
  • The intention to add to the Search, for downstream mdoules.
• label
  • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter
• q
  • DEPRECATED. use the 'default' param instead. If both q and default are specified, the q value will be ignored.
• replacementMap
  • This is a map to the shortest path to values in an intention that should be replaced with the user added value.

FieldPicker

(extends HiddenFieldPicker) This module launches the field picker, a list of all available fields from which a user can select the fields to display. Descendants of this module that display events and summary information will pick up the field list specified or chosen here.

required params

• fields
  • This provides a space-separated list of fields that are selected by default when the page loads.

optional params

• link
  • This enables the display of links such as 'see top values over time' in the individual layers.
• sidebarDisplay = True | False
  • Indicates if the sidebar is open or closed provided it is available in the layout.
  • defaults to: True
• strictMode
  • "This indicates whether the list provided in the 'fields' param should be interpreted literally. When set to true, no additional fields are passed along. When set to false, standard fields like _time and _raw are automatically appended to the outgoing 'fields' setting.
  • defaults to: false

FieldSearch

(extends Splunk.Module) Restrict searches to a specific field. Use this module to configure a form search with only one form field. To configure form searches with multiple forms, use ExtendedFieldSearch.

required params

• field
  • Use this to specify a field (such as a sourcetype, clientip, or any other valid field) to scope results.

optional params

• default
  • Specify a default value to display when the page loads.
• label
  • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter.
• q
  • DEPRECATED. use the 'default' param instead. If both q and default are specified, the q value will be ignored.

HiddenFieldPicker

(extends DispatchingModule) This module implements an invisible control that hardwires which fields the user will see and what order those fields are in. When they are descendants of this module, other modules that display events and summary information will pick up the field list specified or chosen here.

required params

(none)

optional params

• fields
  • This is a space-separated list of the fields that are displayed with events by default when the page loads.
• strictMode
  • "This indicates whether the list provided in the 'fields' param should be interpreted literally. When set to true, no additional fields are passed along. When set to false, standard fields like _time and _raw are automatically appended to the outgoing 'fields' setting.
  • defaults to: false

HiddenIntention

(extends Splunk.Module) Adds the given intention to any search it receives from upstream modules. There are several kinds of intentions, 'addterm', 'negateterm', 'stringreplace', and 'plot' are the main ones. A complete reference is beyond the scope of this description but one will hopefully be added to the documentation soon.

required params

• intention
  • This layers an intention on top of the base search. If no module upstream has specified a base search, the intention will layer on top of 'search *'.

optional params

(none)

HiddenPostProcess

(extends DispatchingModule) Adds a post-process search into the data tree. For more information on this module and how to set up a post process search, see How to use one search for a dashboard.

required params

• search
  • Set a post processing query.

optional params

(none)

HiddenSavedSearch

(extends Splunk.Module) Given a saved search name, either finds the last run search for that saved search or runs a new search depending on its configuration.

required params

• savedSearch
  • This is the name of the saved search to use when looking up a searches from the saved search's history or when dispatching a new search.

optional params

• useHistory = Auto | None | True | False
  • useHistory defines the savedSearch module's saved search dispatch method. The default useHistory method is Auto, which means that savedSearch first tries to find a previously run job if one exists in the saved search's history. If it can't find a previously run job, savedSearch dispatches a new job based on the saved search and returns that job's sid. If useHistory is set to True, savedSearch looks only for previously run jobs dispatched by the saved search. If useHistory is set to False, savedSearch dispatches a new job based on the saved search and returns that job's sid, regardless of the presence of jobs within the saved search's history.
  • defaults to: Auto

HiddenSearch

(extends Splunk.Module) Runs a search behind the scenes. Passes results on to any children. You must set autoRun to true so that the search actually runs.

required params

(none)

optional params

• earliest
  • This is used to define a beginning time range. It is expected if 'latest' is also defined. It sets the start point of the time range to search within.
• latest
  • This is used to define an ending time range. It is expected if 'earliest' is also defined. It sets the ending point of the time range to search within.
• maxCount
  • Use this when you have a search that never reports more than 10,000 events or results, and you want it to report a higher number. Specifically, this overrides the default value which is specified per generating search command in limits.conf. NOTE: when you're using the 'search' command as your generating command, and the search is being dispatched with status_buckets>=1, the resultCount/eventCount numbers were never bounded to begin with, and this setting will be equally ignored by the API.
• search
  • The literal search string HiddenSearch passes onto its child modules.

PostProcessBar

(extends FieldSearch) This module lets you add a post-process search on any results you have returned. It doesnt re-run any search, but it will use that search language to do post-processing filtering on the results data.

required params

(none)

optional params

• default
  • Set a default post processing query to appear in the search bar.
• field
  • Overwrites default settings for field in the abstract class.
• label
  • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter.
• q
  • Deprecated. Use the 'default' param instead. If both 'default' and 'q' are specified, 'q' will be ignored.

RadioButtonSearch

(extends FieldSearch) This module creates a set of radio buttons with submit and cancel buttons.

required params

• label
  • This appears next to the radio buttons, as the overall label for the whole control.
• options
  • This is a list of two items: text and value. "Text" is the text to display next to the radio button. "Value" is the value that is selected upon clicking the radio button. You can optionally add selected to specify which button should be checked upon page load.

optional params

• default
  • NOT supported. In the 'options' param, if you given an item a 'selected' param with True as the value it will be selected on page load.
• field
  • When present, this module adds key value searchTerms in the form <field>=<radioButtonValue> to the search. When absent, the module adds just <radioButtonValue> to the search.
• q
  • NOT supported

SearchBar

(extends FieldSearch) This module creates a search bar with submit and cancel buttons.

required params

(none)

optional params

• autoOpenAssistant = true | false
  • Indicates if the search assistant will open automatically when typing in the search bar
  • defaults to: true
• default
  • Specify a default search to display upon page load.
• field
  • Overwrites default settings for field in the abstract class.
• label
  • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter.
• q
  • DEPRECATED. use the 'default' param instead. If both q and default are specified, the q value will be ignored.
• useAssistant = true | false
  • Indicates if the search assistant is active
• useOwnSubmitButton = True | False
  • defaults to: True
• useTypeahead = true | false
  • Indicates if typeahead content is rendered inside the search assistant

SubmitButton

(extends Splunk.Module) Creates a submit button that collects changes from its parent modules, and runs them when the user clicks the button.

required params

(none)

optional params

• allowSoftSubmit = True | False
  • When this is present and set to 'True', any upstream modules can effectively submit the search by calling pushContextToChildren. When this is present and set to 'False' (or omitted) the user has to click the SubmitButton to submit the search.
  • defaults to: False
• label
  • This is the button label. If the button label is blank, you'll get a small green button in the normal search view. Note that its design may change slightly in different layoutPanels and different views.

TimeRangePicker

(extends Splunk.Module) This module creates a drop-down menu that users can use to change the timerange. Timerange values and labels are pulled from the configuration in times.conf.

required params

(none)

optional params

• default
  • When this is set to one of the time range labels in times.conf, the system sets that time range option when the page loads.
• label
  • Optional label to display above time range picker
• searchWhenChanged = True | False
  • Launch search whenever the time range is changed.
  • defaults to: False
• selected
  • DEPRECATED. use 'default' instead. When both default and selected are specified, selected will be ignored.

ViewRedirector

(extends Splunk.Module) This module takes the context and settings information provided by its ancestors, dispatches the search and redirects the user to see that search in the specified view. When ViewRedirector receives a new context, and onContextChange() is called, it WILL REDIRECT to the specified view.

required params

• viewTarget
  • Set the view that the module should redirect the user's search to.

optional params

• dispatchBeforeRedirect = True | False
  • This sets whether to dispatch a search before redirecting. When set to True, the system redirects to a 'sid' url. When set to False the system redirects to a 'q' url and the other view then dispatches the search.
  • defaults to: False
• popup
  • Set as a boolean to determine whether to launch the view in a popup window, or use the same window. If set to a value besides True/False, we assume True and we pass the literal value as the optional arguments to window.open().
  • defaults to: False
• sendBaseSID = True | False
  • Toggle whether to send a base search ID.
  • defaults to: False
• uriParam.*
  • Wildcard parameter setting to allow additional URI GET parameters to be specified on redirect
  • defaults to: False

ViewRedirectorLink

(extends ViewRedirector) This module puts a link in the view with the given label. When clicked it will take the context information provided by its ancestors, dispatch the search and redirects the user to see that search in the specified view.

required params

• viewTarget
  • Set the view that the module should redirect the user's search to.

optional params

• dispatchBeforeRedirect = True | False
  • This sets whether to dispatch a search before redirecting. When set to True, the system redirects to a 'sid' url. When set to False the system redirects to a 'q' url and the other view then dispatches the search.
  • defaults to: False
• label
  • In link and button modes, this is the label of the link or button. If it is omitted, the link or button label says 'View results.'
• popup
  • Set as a boolean to determine whether to launch the view in a popup window, or use the same window. If set to a value besides True/False, we assume True and we pass the literal value as the optional arguments to window.open().
  • defaults to: False
• sendBaseSID = True | False
  • Toggle whether to send a base search ID.
  • defaults to: False
• uriParam.*
  • Wildcard parameter setting to allow additional URI GET parameters to be specified on redirect
  • defaults to: False

Results

AddTotals

(extends DispatchingModule) This module contains a checkbox that toggles whether or not results are previewable.

required params

(none)

optional params

• enable
  • This determines whether the control should be checked initially.
  • defaults to: false

Count

(extends DispatchingModule) This module allows the user to determine the number of events that should be displayed at a time. When used in conjunction with a Paginator module, the Paginator should be a descendent of the Count module, not an ancestor.

required params

• options
  • This is a list whose items have two required keys, 'text' and 'value'.

optional params

• count
  • DEPRECATED. use 'default' instead. If both default and count are specified, count will be ignored.
• default
  • Indicates the starting count value to broadcast to modules that are listening.

DataOverlay

(extends DispatchingModule) This module allows the user to determine the data overlay mode for results

required params

(none)

optional params

• default = none | heatmap | highlow
  • Indicates the data overlay mode with values of heatmap, highlow and none.
  • defaults to: none
• dataOverlayMode
  • DEPRECATED. use 'default'. If both dataOverlayMode and default are specified, dataOverlayMode will be ignored.
  • defaults to: none

EnablePreview

(extends DispatchingModule) This module contains a checkbox that toggles whether or not results are previewable.

required params

(none)

optional params

• display = true | false
  • This is used to control whether or not the module is visible to the user. It was originally implemented to allow simple dashboards to have previewable results.
  • defaults to: true
• enable
  • This determines whether the control should be checked initially.
  • defaults to: false

EventsViewer

(extends AbstractPagedModule) The EventsViewer module displays events resulting from the search that it's ancestor modules combined to specify. This module is very similar to SimpleEventsViewer, and one of these two modules will in the future be folded into the other.

required params

(none)

optional params

• count
  • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
  • defaults to: 10
• displayRowNumbers = True | False
  • this determines if row numbers are displayed or not.
  • defaults to: False
• enableBehavior = True | False
  • This determines if mouseover, click, etc.. behavior is on or off.
  • defaults to: True
• enableEventActions = True | False
  • This determines if event actions are enabled or not. NOTE: Setting enableEventActions to False will hide all field actions.
  • defaults to: True
• enableFieldActions = True | False
  • This determines if field actions are enabled or not. NOTE: Setting enableFieldActions to False will hide all field actions.
  • defaults to: True
• enableTermSelection = True | False
  • This determines if term selection is enabled for time, raw and field name/value pairs.
  • defaults to: True
• entityName = events | results_preview
  • Indicates the job data feed to use
  • defaults to: events
• fields
  • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
• maxLines
  • This determines the number of lines to display per event. Note this can be overridden when other modules above set this property (notably MaxLines)
  • defaults to: 10
• maxLinesConstraint
  • Browser crash control for the maximum lines displayed.
  • defaults to: 500
• reportFieldLink
  • When this is present, a field dropdown link enabling a report action is presented.
• scrollerEnable = True | False
  • When present, this module param enables the scroller.
  • defaults to: False
• scrollerMaxHeight
  • When scrollerEnable is True, this controls the scroller maximum pixel height constraint.
  • defaults to: 10000
• scrollerMinHeight
  • When scrollerEnable is True, this controls the scroller minumum pixel height constraint.
  • defaults to: 0
• segmentation = raw | inner | outer | full
  • this determines the segmentation with which the events should be rendered.
  • defaults to: outer

FlashTimeline

(extends FlashWrapper) This module contains a Flash object that is capable of displaying a chart of number of events over time. This chart will be updated asynchronously while the search is running.

required params

• height
  • This specifies the height of the module. It can be a percentage or a number of pixels.
• width
  • This specifies the width of the module. It can be a percentage or a number of pixels. Typically this is set to "100%" meaning it should fill all available space. It can also be set to a number of pixels by using a value like "500px".

optional params

• enableResize = True | False
  • Control whether the flash movies display the vertical resize handle.
  • defaults to: True
• minimized = True | False
  • when set to True, the FlashTimeline will be in a collapsed or minimized state. The user is free to open it or minimize it at any point, and any change they make will be remembered when they return to the given view.
  • defaults to: False
• statusBuckets
  • This is the maximum number of time buckets that the backend is can persist while it runs the search. When present, it overrides the default of 300. Values lower than 300 will result in slightly faster search times, but displays less information to the user.
  • defaults to: 300
• swfFile
  • This is the path, relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash, that specifies the swf to load. The swf must conform to a very strict and thus-far undocumented spec that is not for external consumption.
  • defaults to: timeline.swf

FlashWrapper

(extends DispatchingModule) This is the base class for all Flash modules. Unlike FlashChart and FlashTimeline, this simple module makes no assumptions about the swf it is asked to load.

required params

• height
  • This specifies the height of the module. It can be a percentage or a number of pixels.
• swfFile
  • This is the path, relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash, that specifies the swf to load.
• width
  • This specifies the width of the module. It can be a percentage or a number of pixels. Typically this is set to "100%" meaning it should fill all available space. It can also be set to a number of pixels by using a value like "500px".

optional params

• enableResize = True | False
  • Control whether the flash movies display the vertical resize handle.
  • defaults to: True

FieldViewer

(extends AbstractPagedModule) This simple module shows the top N values for a given field, along with a number in parentheses showing the number of events that had the given value.

required params

• field
  • This is the name of the search-time or index-time field for which the module will display the top values.

optional params

• count
  • This is the number of most common values that the module should display.
  • defaults to: 10
• fields
  • not used by this module (but technically it gets inherited from the abstract parent class).
• link
  • If this option is present, the module will present a link to a view. On click will pass that view the ' | top <field>' search that would generate the corresponding chart. Values are a dictionary of keys: 'viewTarget', 'label'
• maxLines
  • This determines the number of lines to display per event. Note this can be overridden when other modules above set this property (notably MaxLines)
  • defaults to: 10

MaxLines

(extends DispatchingModule) This module creates a control that allows the user to set the maximum number of lines to display per event. Events truncated by this setting will generally be abstracted such that the most relevant lines are displayed. (refer to docs around the 'truncation_mode' arg to the events endpoint)

required params

• options
  • This is a list whose items have two required keys, 'text' and 'value'

optional params

• default
  • Indicates the default setting for max lines per event. The value here must match one of the values in the options param.
  • defaults to: 10
• maxLines
  • DEPRECATED. use 'default' instead. if both default and maxLines are specified, maxLines will be ignored.
  • defaults to: 10

MultiFieldViewer

(extends AbstractPagedModule) This module is typically for use within the sidebar, and shows a set of field names, with distinct counts next to them in parentheses. When the user clicks on the field names, a popup layer will open showing the top 10 values for that field. Clicking then on one of those values will add the proper field=value term and re run the search.

required params

(none)

optional params

• count
  • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
  • defaults to: 10
• field
  • This field was a parameter on the parent class, but is not required for this class.
• fields
  • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
• link
  • If this option is present, a link will be presented. This is used for things like 'see top values over time' in the individual layers.
• maxDisplayLength
  • Indicates the maximum number of characters of the field name to show in the main view. Excess characters will be stripped from the middle of the string. The tooltip on the field name will display the full field name value.
  • defaults to: 25
• maxLines
  • This determines the number of lines to display per event. Note this can be overridden when other modules above set this property (notably MaxLines)
  • defaults to: 10

NullModule

(extends Splunk.Module) This is just a null module, used when we need a placeholder. Takes up no space and tries to remain inconspicuous.

required params

(none)

optional params

(none)

Paginator

(extends DispatchingModule) This module displays a series of links to page around in your data. It must be configured to page either through the 'events' or the 'results' of your search.

required params

• entityName = events | results | settings
  • This determines whether the paginator builds links based on the number of events, the number of final results, or a settings map change. (While these are often the same, in searches with transforming commands these numbers are generally different.)

optional params

• count
  • This determines the number of items to be shown per page.
  • defaults to: 10
• maxPages
  • This determines the maximum number of page links that the module will display on the page at a time.
  • defaults to: 10

ResultsActionButtons

(extends Splunk.Module) Implements a set of buttons with which the user can save, print, export and share the results of their search or report.

required params

(none)

optional params

• editView
  • When this is present, and when the module is displaying a saved search or saved report, it allows the module to present an 'edit' link that launches the given 'editing' view in a popup window.
• eventsView
  • When this is present, and when the module has loaded a specific set of results, it allows the module to present a 'view events' link that will take the user to the specified view to run the portion of their search before the first transforming command.

ResultsHeader

(extends SimpleResultsHeader) This module displays a header like '23,420 events' and is for placement generally above a FlashTimeline or above a set of modules implementing paging controls

required params

• entityLabel
  • This specifies what should appear after the displayed number. Typically this will be a value like 'events', or 'results', but for very narrowly defined views it could be 'pages edited'.
• entityName = events | results | scanned
  • This specifies how the module should get the number that it displays.

optional params

• headerFormat
  • This is used by SimpleResultsHeader but it is not used here where we have different containers and possibly different styles for the count, the 'label' and the time header.
• link
  • This is a dictionary of config values specifying behaviour for a link that the module can display. This link sends the user to a different view where this search result is displayed instead. It contains a 'label' key that is the link text, and a 'viewTarget' key that is the search result view to which the user should be sent, and a 'popup' key that, when set to True, makes the link open the search result view in a new popup window.
• prefix
  • When this option is present, the value of this key will be displayed before the number displayed. For example you can set it to 'Found', for the overall display to come out as 'Found 23,420 events'

RowNumbers

(extends DispatchingModule) This module allows the user to determine if row numbering is enabled/disabled

required params

(none)

optional params

• default
  • This determines whether the control should be checked initially.
  • defaults to: true
• displayRowNumbers
  • DEPRECATED. use 'default' instead. if both default and displayRowNumbers are specified, displayRowNumbers will be ignored.
  • defaults to: true

SearchTextSetting

(extends TextSetting) A search text input field that passes its contents down to its children as part of the settings map, styled to have a mag glass icon.

required params

• elementName
  • The name of the input element to be added to the UI.
• settingName
  • This is the name of the setting to be added to a settings map and passed to a module's children.

optional params

• label
  • An html label element that can be set for the given input text element.

Segmentation

(extends DispatchingModule) This module allows the user to determine the segmentation type to be displayed for events.

required params

• options
  • This is a list whose items have two required keys, 'text' and 'value'. 'value can be one of raw,inner,outer,full.

optional params

• default
  • Indicates the segmentation value to broadcast to modules that are listening.
  • defaults to: full
• segmentation
  • DEPRECATED. Use default instead. If both default and segmentation are specified, segmentation will be ignored.
  • defaults to: full

Selector

(extends Splunk.Module) Creates a selction list from a set of options. Options can either be configured manually or by defining an entity endpoint from which to generate its options.

required params

• name
  • The name of the html select element generated.

optional params

• label
  • The test to appear to the left of the selector form element.
• listEndpoint
  • This is required if mode=list. Relatively defined list endpoint to communicate with in order to generate the options list. For example if you want a list of all the local applications set listEndpoint to "entities/apps/local".
• mode = static | list
  • This is the mode in which the Select should work. "static" implies that it will only use the list of options provided to it to render this list. "list" designates the use of a listing endpoint to generate the option elements.
  • defaults to: static
• options
  • This is the list of options that Splunk displays in the dropdown selector. When in 'list' mode, Splunk displays the options defined here first and then displays options received from the listEndpoint beneath them. Each option includes a text key which is the text of the option, a value key which is the value of the option and an optional selected key which, when set to True sets the current option to selected. Selected should NOT be set manually when mode=list unless no selected option has been defined for the list.
• selected
  • If the selected value is present in the option results, this sets that option to selected. This is optional in list mode. Note, setting selected manually in the options param may conflict with this setting.
• text
  • This is the name of the field in the list endpoint's results that should be used to generate the text of the option elements. It is required in list mode. For example, if the list returns a field called name, setting text = name means that the name field will be used to generate the visible text of the option.
• value
  • The name of the field from the list endpoint's results that should be used to set the value of an option element. It is required in list mode.

SoftWrap

(extends DispatchingModule) This module contains a checkbox that toggles whether or not events are soft-wrapped. When off, event text will break in the page only where there is a linebreak in the actual data, and scrollbars will appear as necessary. When on, the event text will also break at the edge of the window.

required params

(none)

optional params

• enable
  • This determines whether the control should be checked initially.
  • defaults to: true

Sorter

(extends Splunk.Module) Sorter displays a list of fields that can be sorted upon. Given a list of field names, Sorter will create a set of delimited links which the user can click on. Clicking on these links will pass a "sort" setting down to Sorter's child modules which can iterpret how to preform the sort on their own.

required params

(none)

optional params

• delimiter
  • The delimiter used to seperate each displayed field label.
  • defaults to: |
• fields
  • This is a list of comma delimited field labels which are displayed. If the optional param field_values isn't provided, clicking a field label passes the field label as the field value. Order is preserved in the field label list display.
• sortDir = asc | desc
  • This provides the direction to push a sort when a Sorter module is initiated.
  • defaults to: asc
• sortKey
  • If this is provided, it initiates the Sorter with the defined label. When undefined, this defaults internally to the first field name defined in the view config.

ShowSource

(extends DispatchingModule) This module waits for the search to complete and then renders a single field from the first row of the results

required params

(none)

optional params

(none)

SimpleResultsHeader

(extends DispatchingModule) This module displays a header like '23,420 events' and is for placement generally above a FlashTimeline or above a set of modules implementing paging controls

required params

• entityName = events | results | scanned
  • This specifies how the module should get the number that it displays.
• headerFormat
  • This specifies how the module should get the number that it displays.

optional params

(none)

SimpleResultsTable

(extends AbstractPagedModule) this module waits for the search to complete, and then renders its final results in a tabular format.

required params

(none)

optional params

• allowTransformedFieldSelect
  • This indicates whether or not Splunk should observe any field list setting while it renders transformed results. It is generally only used in fixed configuration situations like dashboards. It defaults to false, which results in all fields in a transforming search being displayed.
  • defaults to: false
• count
  • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
  • defaults to: 10
• dataOverlayMode
  • This indicates the default data overlay mode with values of heatmap, highlow and none.
  • defaults to: none
• displayMenu
  • This controls whether table cells have a dropdown menu with search suggestions when clicked on.
  • defaults to: False
• displayRowNumbers
  • If this is set to true then row numbers are displayed alongside each row in the table.
  • defaults to: on
• drilldown = all | row | none
  • This indicates whether the module allows the user to select a particular cell. The behaviour is abstract though, and the specifics are determined by the child modules in the view.
  • defaults to: none
• drilldownPrefix
  • Not required. Since this defaults to 'click', by default the keys will come down in the context as 'click.name', 'click.value', 'click.name2', 'click.value2'. In cases where you are nesting multiple drilldown patterns in the same view, this key is used so that the second set of keys does not overwrite the first.
  • defaults to: click
• entityName = events | results | auto
  • This determines whether the viewer should build table row/columns based on events, results or auto detect.
  • defaults to: auto
• fields
  • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
• maxLines
  • This determines the number of lines to display per event. Note this can be overridden when other modules above set this property (notably MaxLines)
  • defaults to: 10

SingleFieldChooser

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the field that you wish to use on the y-axis. This is generally used in conjunction with StatChooser which specifies the aggregator function for this field chosen here. Eg. if this module is set to 'kbps', and StatChooser is set to 'max', then the overall y-axis value will be max(kbps)

required params

(none)

optional params

(none)

SingleValue

(extends DispatchingModule) This module waits for the search to complete and then renders a single field from the first row of the results

required params

(none)

optional params

• additionalClass
  • An optional additional css class name to add to the result container
• afterLabel
  • Label to display after the result
• beforeLabel
  • Label to display before the result
• classField
  • Adds the value of the classField of the first result as an additional css class to the result container. Pre-defined classes include 'severe', 'elevated', 'low', and 'None' (default).
  • IMPORTANT : This parameter must be specified if the background of the single value box is to be colorized based on the results of the rangemap command used in the populating search.
• field
  • Field to display - Defaults to first field returned
• format = number | decimal | percent | none
  • Specifies the data formatting method to apply to the value. Locale aware. Defaults to none.
• linkFields
  • Specify whether to just link the result, or include labels. To link the result and both labels, specify "result,beforeLabel,afterLabel"
  • defaults to: result
• linkSearch
  • Specify a valid complete search query to turn the result into a clickable link
• linkView
  • Specify which view to execute the linked search against
  • defaults to: dashboard

StaticRadio

(extends AbstractStaticFormElement)

required params

• name
• settingToCreate
• staticFieldsToDisplay

optional params

• checked
• label
• searchWhenChanged
  • defaults to: True

StaticSelect

(extends AbstractStaticFormElement)

required params

• settingToCreate
• staticFieldsToDisplay

optional params

• label
• searchWhenChanged
  • defaults to: True
• selected

SuggestedFieldViewer

(extends MultiFieldViewer) This module shows fields that are not selected by FieldPicker (and thus not displayed in MultiFieldViewer or other modules) but which look like they might be interesting to the user.

required params

(none)

optional params

• count
  • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
  • defaults to: 10
• exclude
• field
  • This field was a parameter on the parent class, but is not required for this class.
• fields
  • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
• link
  • If this option is present, a link will be presented. This is used for things like 'see top values over time' in the individual layers.
• maxDisplayLength
  • Indicates the maximum number of characters of the field name to show in the main view. Excess characters will be stripped from the middle of the string. The tooltip on the field name will display the full field name value.
  • defaults to: 25
• maxFields
  • defaults to: 20
• maxLines
  • This determines the number of lines to display per event. Note this can be overridden when other modules above set this property (notably MaxLines)
  • defaults to: 10
• minDistinctCount
  • defaults to: 1
• minFrequency
  • defaults to: 0.2

TextSetting

(extends AbstractFormSettingModule) A text input field that passes its contents down to its children as part of the settings map.

required params

• elementName
  • This is the name of the input element to be added to the UI.
• settingName
  • This is the name of the setting to be added to a settings map and passed to a module's children.

optional params

• label
  • An html label element that can be set for the given input text element.

Charting

AxisScaleFormatter

(extends BaseChartFormatter) This module contains a pulldown that allows you to choose whether you want the y-axis scale to be scaled logarithmically or linearly. When any other module has set the 'stacked' option, any log scaling becomes meaningless and so this module will both become invisible and revert to 'linear'.

required params

(none)

optional params

• default
  • the selected axis scale type

BaseChartFormatter

(extends Splunk.Module) this is an abstract base class for other chart formatting modules. This module should never itself be configured within a view.

required params

(none)

optional params

(none)

ChartTitleFormatter

(extends BaseChartFormatter) This module contains a text field that you can use to set the overall title of your chart.

required params

(none)

optional params

• default
  • Can be used to specify the default value for the module.
• label
  • This is the string it displays. If not present, it defaults to 'Chart Title' (and it passes it through gettext for localization)

ChartTypeFormatter

(extends BaseChartFormatter) this module contains a pulldown that you can use to change between 'column', 'line', 'area' and various other chart types.

required params

(none)

optional params

• default
  • Specifies the chart type that should be initially selected
  • defaults to: column

FancyChartTypeFormatter

(extends ChartTypeFormatter) this module contains a styled pulldown that you can use to change between 'column', 'line', 'area' and various other chart types.

required params

(none)

optional params

• default
  • The type of chart to render
  • defaults to: column

FlashChart

(extends FlashWrapper) This module contains a Flash object that is capable of charting almost any search results that the Splunk backend can generate.

required params

(none)

optional params

• drilldownPrefix
  • Not required. Since this defaults to 'drilldown', by default the keys will come down in the context as 'drilldown.name', 'drilldown.value', 'drilldown.name2', 'drilldown.value2'. In cases where you are nesting multiple drilldown patterns in the same view, this key is used so that the second set of keys does not overwrite the first.
  • defaults to: click
• enableResize = True | False
  • Control whether the flash movies display the vertical resize handle.
  • defaults to: True
• height
  • This specifies the height of the module. It can be a percentage or a number of pixels.
  • defaults to: 210px
• maxResultCount
  • This specifies the maximum number of results to render per series. For a single-series chart, this creates up to <maxResultCount> data points; for a multi-series chart with m series, this creates up to (m * <maxResultCount>) data points. Setting this to a high value can have adverse performance effects on the UI.
  • defaults to: 250
• maxRowsForTop
  • This specifies how many rows of the data should be rendered for 'top' and 'rare' results. This value overrides maxResultCount when rendering results from the special-cased results.
• swfFile
  • This is the path, relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash, that specifies the swf to load. The swf must conform to a very strict and thus-far undocumented spec that is not for external consumption.
  • defaults to: charting.swf
• width
  • This specifies the width of the module. It can be a percentage or a number of pixels. Typically this is set to "100%" meaning it should fill all available space. It can also be set to a number of pixels by using a value like "500px".
  • defaults to: 100%

HiddenChartFormatter

(extends Splunk.Module) this module contains a pulldown that you can use to change between 'column', 'line', 'area' and various other chart types.

required params

(none)

optional params

• chart = area | bar | column | line | pie | scatter
  • Use this to change the overall type of chart you wish to generate.
• chart.nullValueMode = connect | gaps | zero
  • Use this to that control how 'line' and 'area' charts should behave when there are gaps in the data. You can either treat null values as '0', leave an explicit gap, or interpolate between the values.
• chart.stackMode = default | stacked | stacked100
  • Use this to make bar and area charts display in 'stacked' mode.
• chartTitle
  • Use this to set the overall HTML title for the Flashchart module.
• charting.*
  • This is a wildcard handler for dynamic charting properties; all must be prefixed by 'charting.'
• legend.placement = right | bottom | left | top | none
  • Use this to change where the chart's legend is displayed relative to the chart itself
• primaryAxisTitle.text
  • Use this to set the X-axis title. Note: in Bar chart this currently this sets the Y-axis title.
• secondaryAxis.scale = log |
  • Use this to make the y-axis scale logarithmically or linearly. Values can be 'log' or (empty string).
• secondaryAxisTitle.text
  • Use this to set the Y-axis title. Note: in Bar chart this currently this sets the X-axis title.

LegendFormatter

(extends BaseChartFormatter) this module contains a pulldown that you can use to change how the chart legend is displayed relative to the chart itself.

required params

(none)

optional params

• default
  • Specifies the legend position that should be initially selected.
  • defaults to: right

LineMarkerFormatter

(extends BaseChartFormatter)

required params

(none)

optional params

• default
  • Specifies the line marker behavior that should be initially selected.
  • defaults to: false

NullValueFormatter

(extends BaseChartFormatter) This module contains a pulldown that controls how 'line' and 'area' charts should behave when there are gaps in the data. You can either treat null values as '0', leave an explicit gap, or interpolate between the values.

required params

(none)

optional params

• default
  • This specifies the null value behavior that should be initially selected.
  • defaults to: gaps

SplitModeFormatter

(extends BaseChartFormatter) This module contains a pulldown that indicates whether or not to show multi-series data on a single combined plot vs. a separate plot for every series. For example, a search like "search error | timechart count by host" would render a separate chart for every "host" found.

required params

(none)

optional params

• default = true | false
  • Specifies if the chart is to be split on series
  • defaults to: false

StackModeFormatter

(extends BaseChartFormatter) This module contains a pulldown that can be used to make bar and area charts display in 'stacked' mode. When the chart type is set to a value other than 'area' or 'column', this module becomes invisible and turns off the stacked mode if it was on.

required params

(none)

optional params

• default
  • This specifies the default stack mode
  • defaults to: default

XAxisTitleFormatter

(extends BaseChartFormatter) this module contains a text field that you can use to change the title for the x-axis of your chart.

required params

(none)

optional params

• default
  • Can be used to specify the default value for the module.

YAxisRangeMaximumFormatter

(extends BaseChartFormatter) this module contains a text field that takes an integer, that determines the maximum y-axis value that should be displayed.

required params

(none)

optional params

• default
  • Specifies the default for the module

YAxisRangeMinimumFormatter

(extends BaseChartFormatter) This module contains a text field that takes an integer, that determines the minimum y-axis value that should be displayed.

required params

(none)

optional params

• default
  • This specifies the module default.

YAxisTitleFormatter

(extends BaseChartFormatter) this module contains a text field that you can use to change the title for the y-axis of your chart.

required params

(none)

optional params

• default
  • Can be used to specify the default value for the module.

Converters

ConvertToDrilldownSearch

(extends Splunk.Module) EXPERIMENTAL.

required params

(none)

optional params

• drilldown.direction = up | down
  • EXPERIMENTAL - this determines whether drilldown intentions are send to downstream modules or to upstream modules.
  • defaults to: down
• drilldownPrefix
  • Not required. Since this defaults to 'click', by default the module will look for the keys 'click.name', 'click.value', 'click.name2', 'click.value2'. In cases where you are nesting multiple drilldown patterns in the same view, this key is available to look for keys like 'click2.name', or 'hostClick.value' instead.
  • defaults to: click
• enableDebugOutput = True | False
  • when on, there will be some fields that output the args to the drilldown intention, as well as the timerange and underlying base Search
  • defaults to: False

ConvertToIntention

(extends Splunk.Module) Converts a setting value to an intention, which it adds to its context and passes to its children.

required params

• intention
  • Ths is the intention to add to the current search context. Use the $target$ variable to specify which value(s) in the intention to replace.

optional params

• preserveParentIntentions
  • By default ConvertToIntention removes all intentions from the search context it's given. Setting preserveParentIntentions will preserve all the intentions.
  • defaults to: False
• settingToConvert
  • The name of the setting value to set in the intention. If omitted, the module will pull out values from the intention literal itself. ie presence of $foo.bar$ in the intention will fill that with whatever value is in context.get("foo.bar");

ConvertToRedirect

(extends Splunk.Module)

required params

• settingToConvert
• type

optional params

(none)

Include

AjaxInclude

(extends Splunk.Module) EXPERIMENTAL. A simple wrapper for integrating external content via XMLHTTPRequest within the module framework. Note this is limited to same domain constraints. Emulates iframe like behavior (page is not refreshed on clicks) and binds an ajaxForm handler to all forms.

required params

• endpoint
  • This determines the initial endpoint.

optional params

• data
  • The associated query string name/value pairs to add to the POST/GET request.
• focus
  • An optional element selector to apply form element focus on. See http://docs.jquery.com/Selectors for selector syntax. Defaults to an auto-focus algorithm if undefined. To disable auto-focus provide an invalid selector such as "foobar"
• hrefattributes
  • The regular expression attributes for anchor element href attribute values that should not refresh the page on click/keydown. Defaults to no attributes excluding anchor elements with target or rel values.
• hrefpattern
  • The regular expression pattern for anchor element href attribute values that should not refresh the page on click/keydown. Defaults to matching everything excluding anchor elements with target or rel values.
  • defaults to: .*
• method = GET | POST
  • The type of initial request to make "POST" or "GET".
  • defaults to: GET

IFrameInclude

(extends Splunk.Module) This simple module uses an inline frame (iframe) to show content from another URL.

required params

• src
  • This is the URL to a remote resource to be displayed in the module. Supports remote URI's (ie., http://foobar.com/hello), local app static files (ie., hello.html found in $SPLUNK_HOME/etc/apps/$APPNAME/appserver/static) and relative locations (ie., /manager).

optional params

• check_exists = False | True
  • This checks to see if the remote or local src exists. It defaults to false. NOTE: Local app static files are skipped if check_exists is set to True.
  • defaults to: False
• height
  • The numeric pixel value constraint of your iframe or defaults to auto. NOTE: Remote URI's require the appropriate JavaScript document.domain setting for fluid height to work correctly (see http://msdn.microsoft.com/en-us/library/cc196989(VS.85).aspx and https://developer.mozilla.org/en/DOM/document.domain)
  • defaults to: auto

ServerSideInclude

(extends Splunk.Module) This module supports the concept of server side includes for custom content. Additionally, the Mako (see: http://www.makotemplates.org/) template language is supported.

required params

• src
  • This specifies the static html file that should be displayed in the given view. When you give it a filename, Splunk attempts to fetch the file from the current application static folder: /etc/apps/<app_name>/appserver/static/* (Note: absolute URI's not supported). If the resource can't be found, a simple message inline is displayed.

optional params

(none)

Lister

How to use lister modules.

EntityLinkLister

(extends AbstractEntityLister)

required params

• entityPath
  • This should be a valid entity path such as saved/searches.

optional params

• count
  • The number of list elements to list. This value only pertains to the dynamically generated list elements, not to the static elements. In some concrete implementations, this value can be provided by a Paginator module and provide paging behavior.
• delimiter
  • The character to use to separate each listed field. Some concrete implementations of lists do not use the delimiter, such as the options lister.
  • defaults to: |
• entityFieldsToDisplay
  • The entity fields to display. These are specified as <list> objects in a view xml specification and must contain at least a "label" definition or a "multiLabel" definition. If "label" is defined it should be set to the name of a field in the entity listing that will become the label of the generated list. If "multiLabel" is defined it must be specified as a Python sprintf string where the tokens should map to fields in the entity list. The <list> object may also contain the following options: "value" definition which is used by child classes to define the lister's behavior.
• namespace
  • The namespace to use when requesting the list of entities. Normally this defaults to the current application's name.
• offset
  • The starting offset for the dynamically generated list elements.
• outputMode
  • This is set to li by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you really know what you're doing).
  • defaults to: li
• owner
  • The owner to use when requesting the list of entities. Normally this defaults to the current user.
• postProcess
  • The post process search to apply to the entity request.
• searchWhenChanged
  • Usually the concrete Lister modules push their changes to their children when a user has acted on the list of elements. In some cases this is not desirable, such as in the simplified form configurations.
  • defaults to: True
• settingToCreate
  • The setting to generate and pass down to child modules.
• sortDir = asc | desc
  • The direction to sort the results. This option may only be defined if the sortKey option is also defined.
• sortKey
  • The field on which to sort the results. This is often deferred to Python's default sort algorithm and will observe Python's sort behavior.
• staticFieldsToDisplay
  • A set of <list> objects which define static list elements to add to the dynamically generated list elements. For example a static option with a label of "Any" and a value of "*" might be desired in addition to a list of saved searches generated by the entity lister. Static fields are defined in much the same way as entity fields, as <list> objects with a "label" definition that is set to the explicit label (i.e. "Any") and an optional value definition set to the value (i.e. "*").

EntityRadioLister

(extends AbstractEntityLister)

required params

• entityPath
  • This should be a valid entity path such as saved/searches.
• name
  • The name of the form to create.
• settingToCreate

optional params

• checked
  • The radio button to select after rending the options from a search.
• count
  • The number of list elements to list. This value only pertains to the dynamically generated list elements, not to the static elements. In some concrete implementations, this value can be provided by a Paginator module and provide paging behavior.
• delimiter
  • The character to use to separate each listed field. Some concrete implementations of lists do not use the delimiter, such as the options lister.
  • defaults to: |
• entityFieldsToDisplay
  • The entity fields to display. These are specified as <list> objects in a view xml specification and must contain at least a "label" definition or a "multiLabel" definition. If "label" is defined it should be set to the name of a field in the entity listing that will become the label of the generated list. If "multiLabel" is defined it must be specified as a Python sprintf string where the tokens should map to fields in the entity list. The <list> object may also contain the following options: "value" definition which is used by child classes to define the lister's behavior.
• label
  • The label to apply to the set of radio buttons.
• namespace
  • The namespace to use when requesting the list of entities. Normally this defaults to the current application's name.
• offset
  • The starting offset for the dynamically generated list elements.
• outputMode
  • This is set to radio by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
  • s as radio buttons).
  • defaults to: radio
• owner
  • The owner to use when requesting the list of entities. Normally this defaults to the current user.
• postProcess
  • The post process search to apply to the entity request.
• searchWhenChanged
  • Usually the concrete Lister modules push their changes to their children when a user has acted on the list of elements. In some cases this is not desirable, such as in the simplified form configurations.
  • defaults to: True
• sortDir = asc | desc
  • The direction to sort the results. This option may only be defined if the sortKey option is also defined.
• sortKey
  • The field on which to sort the results. This is often deferred to Python's default sort algorithm and will observe Python's sort behavior.
• staticFieldsToDisplay
  • A set of <list> objects which define static list elements to add to the dynamically generated list elements. For example a static option with a label of "Any" and a value of "*" might be desired in addition to a list of saved searches generated by the entity lister. Static fields are defined in much the same way as entity fields, as <list> objects with a "label" definition that is set to the explicit label (i.e. "Any") and an optional value definition set to the value (i.e. "*").

EntitySelectLister

(extends AbstractEntityLister)

required params

• entityPath
  • This should be a valid entity path such as saved/searches.
• settingToCreate

optional params

• count
  • The initial number of entity items to load.
• delimiter
  • The character to use to separate each listed field. Some concrete implementations of lists do not use the delimiter, such as the options lister.
  • defaults to: |
• entityFieldsToDisplay
  • The entity fields to display. These are specified as <list> objects in a view xml specification and must contain at least a "label" definition or a "multiLabel" definition. If "label" is defined it should be set to the name of a field in the entity listing that will become the label of the generated list. If "multiLabel" is defined it must be specified as a Python sprintf string where the tokens should map to fields in the entity list. The <list> object may also contain the following options: "value" definition which is used by child classes to define the lister's behavior.
• label
• namespace
  • The namespace to use when requesting the list of entities. Normally this defaults to the current application's name.
• offset
  • The starting offset for the dynamically generated list elements.
• outputMode
  • This is set to options by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
  • s in your <select>s).
  • defaults to: options
• owner
  • The owner to use when requesting the list of entities. Normally this defaults to the current user.
• postProcess
  • The post process search to apply to the entity request.
• searchWhenChanged
  • Usually the concrete Lister modules push their changes to their children when a user has acted on the list of elements. In some cases this is not desirable, such as in the simplified form configurations.
  • defaults to: True
• selected
  • The option to show as selected. This is based on the label value, for example "selected = Edit" looks for an option whose label value is also "Edit".
• sortDir = asc | desc
  • The direction to sort the results. This option may only be defined if the sortKey option is also defined.
• sortKey
  • The field on which to sort the results. This is often deferred to Python's default sort algorithm and will observe Python's sort behavior.
• staticFieldsToDisplay
  • A set of <list> objects which define static list elements to add to the dynamically generated list elements. For example a static option with a label of "Any" and a value of "*" might be desired in addition to a list of saved searches generated by the entity lister. Static fields are defined in much the same way as entity fields, as <list> objects with a "label" definition that is set to the explicit label (i.e. "Any") and an optional value definition set to the value (i.e. "*").

LinkList

(extends DispatchingModule) DEPRECATED. This module is no longer supported, and should be replaced with one of the *Lister modules in the /lists subdirectory.

required params

• labelField
  • This is the name of the result field whose value should be displayed in the label part of the link list. Link lists are generally a combination of a descriptive label and a numeric count or other (value) field.
• valueField
  • This is the name of the result field whose value should be displayed in the value part of the link list. This is often a count or numeric value relevant to the "label" portion of the link list.

optional params

• initialSort
  • The field in the result set to sort on when the link list is first rendered.
• initialSortDir = asc | desc
  • The direction to sort the results based on the initialSort field.
  • defaults to: asc
• labelFieldSearch
  • This is the search string to generate when the user clicks on the label field. It requires labelFieldTarget to be defined to a valid view. The value of the label field is automatically added to the search.
• labelFieldTarget
  • This is the view to target if the label field is setup to generate a clickable link that dispatches a search.
• valueFieldSearch
  • This is the search string that is generated when the user clicks on the value field. It requires valueFieldTarget to be defined to a valid view. The value of the label field is automatically added to the search.
• valueFieldTarget
  • This is the view to target if the value field is setup to generate a clickable link that dispatches a search.

SearchLinkLister

(extends AbstractSearchLister)

required params

(none)

optional params

• applyOuterIntentionsToInternalSearch
  • if set to True, any intentions passed down from a parent module will be used to drive the internal search of this module. This should be used with caution, but when used carefully allows form elements to drive each others searches in interesting ways.
• delimiter
  • defaults to: |
• earliest
  • The earliest time to bound the search results by.
• entityName = events | results
  • The type of search result data the module would like to work with. When entityName == results statusBuckets is set to 0, which cannot be overridden, in an attempt to significantly speed up the search.
  • defaults to: results
• latest
• namespace
• outputMode
  • This is set to li by default so it need not be declared in a view configuration file. DO NO CHANGE THIS.
  • defaults to: li
• owner
• postProcess
  • The post process search to apply to the search request.
• savedSearch
  • A valid saved search name.
• search
  • A valid Splunk search string used to power the internal representation of the module.
• searchFieldsToDisplay
• searchWhenChanged
  • Usually the Lister modules should push their changes to their children. In some cases this is not desirable, such as in the simplified form configurations.
  • defaults to: True
• settingToCreate
• sortDir
• sortKey
• staticFieldsToDisplay
• statusBuckets
  • defaults to: 300
• tokenPrefix
  • defaults to: click
• useHistory
  • When "savedSearch" is defined, this dictates whether a new job based on a saved search should be dispatched (useHistory = False), a cached job from a saved search's history should be used (useHistory = True) or if no job is cached in the saved search's history, dispatch a new job (useHistory = auto).
  • defaults to: Auto

SearchRadioLister

(extends AbstractSearchLister)

required params

• name
  • The name of the form to create.

optional params

• applyOuterIntentionsToInternalSearch
  • if set to True, any intentions passed down from a parent module will be used to drive the internal search of this module. This should be used with caution, but when used carefully allows form elements to drive each others searches in interesting ways.
• checked
  • The radio button to select after rending the options from a search.
• delimiter
  • defaults to: |
• earliest
  • The earliest time to bound the search results by.
• entityName = events | results
  • The type of search result data the module would like to work with. When entityName == results statusBuckets is set to 0, which cannot be overridden, in an attempt to significantly speed up the search.
  • defaults to: results
• label
  • The label to apply to the set of radio buttons.
• latest
• namespace
• outputMode
  • This is set to radio by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
  • s as radio buttons).
  • defaults to: radio
• owner
• postProcess
  • The post process search to apply to the search request.
• savedSearch
  • A valid saved search name.
• search
  • A valid Splunk search string used to power the internal representation of the module.
• searchFieldsToDisplay
• searchWhenChanged
  • Usually the Lister modules should push their changes to their children. In some cases this is not desirable, such as in the simplified form configurations.
  • defaults to: True
• settingToCreate
• sortDir
• sortKey
• staticFieldsToDisplay
• statusBuckets
  • defaults to: 300
• tokenPrefix
  • defaults to: click
• useHistory
  • When "savedSearch" is defined, this dictates whether a new job based on a saved search should be dispatched (useHistory = False), a cached job from a saved search's history should be used (useHistory = True) or if no job is cached in the saved search's history, dispatch a new job (useHistory = auto).
  • defaults to: Auto

SearchSelectLister

(extends AbstractSearchLister)

required params

(none)

optional params

• applyOuterIntentionsToInternalSearch
  • if set to True, any intentions passed down from a parent module will be used to drive the internal search of this module. This should be used with caution, but when used carefully allows form elements to drive each others searches in interesting ways.
• count
  • The initial number of entity items to load.
• delimiter
  • defaults to: |
• earliest
  • The earliest time to bound the search results by.
• entityName = events | results
  • The type of search result data the module would like to work with. When entityName == results statusBuckets is set to 0, which cannot be overridden, in an attempt to significantly speed up the search.
  • defaults to: results
• label
• latest
• namespace
• outputMode
  • This is set to options by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
  • s in your <select>s).
  • defaults to: options
• owner
• postProcess
  • The post process search to apply to the search request.
• savedSearch
  • A valid saved search name.
• search
  • A valid Splunk search string used to power the internal representation of the module.
• searchFieldsToDisplay
• searchWhenChanged
  • Usually the Lister modules should push their changes to their children. In some cases this is not desirable, such as in the simplified form configurations.
  • defaults to: True
• selected
  • The option to show as selected. This is based on the label value, for example "selected = Edit" looks for an option whose label value is also "Edit".
• settingToCreate
• sortDir
• sortKey
• staticFieldsToDisplay
• statusBuckets
  • defaults to: 300
• tokenPrefix
  • defaults to: click
• useHistory
  • When "savedSearch" is defined, this dictates whether a new job based on a saved search should be dispatched (useHistory = False), a cached job from a saved search's history should be used (useHistory = True) or if no job is cached in the saved search's history, dispatch a new job (useHistory = auto).
  • defaults to: Auto

Switchers

Switchers are another way to create tabs or pulldown elements that users can use to switch out content or ui controls underneath. They may seem similar to the 'lister' modules but they are qualitatively different. Switchers create a fork between arbitrarily different config branches underneath, but the choice doesnt influence any individual search in those child branches. And listers on the other hand allow the user to insert input that effects the search(es) underneath, but they do not switch one set of modules out and replace it with another set of modules.

The current Switcher classes are 'PulldownSwitcher', 'TabSwitcher', 'LinkSwitcher', and 'ButtonSwitcher'. ('ButtonSwitcher' is a little misnamed in that it actually presents little square icons. Because you'd need to create custom images for Buttonswitcher, and because also it's a little special cased for it's usage within flashtimeline you probably should start with the other 3.) And technically there is another switcher called 'ShowHideHeader' but i'll cover him someday seperately cause you use him in different circumstances.

How to use switcher modules.

ButtonSwitcher

(extends TabSwitcher) This is a subclass of AbstractSwitcher, and when configured to have N children (and thus N subtrees of descendant modules), it will display the a button for each child. The button style is determined by a class set on the group name. When the user clicks a different button, the corresponding child and its descendant modules will be shown on screen and all other child modules (and descendants thereof) will be hidden.

required params

• mode = independent | serializeAll
  • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

• disableOnNull = True | False
  • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
  • defaults to: False
• hideChildrenOnLoad = True | False
  • Indicates if child modules are hidden via CSS by default
  • defaults to: False
• selected
  • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

ConditionalSwitcher

(extends TabSwitcher) This is a subclass of AbstractSwitcher. When the given condition is true, it will display the first child tree. When false it will display the second child tree.

required params

• condition
  • this is the expression (written in Javascript, executed by the module), that will determine which child is present.
• mode = independent | serializeAll
  • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

• disableOnNull = True | False
  • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
  • defaults to: False
• hideChildrenOnLoad = True | False
  • Indicates if child modules are hidden via CSS by default
  • defaults to: False
• requiresDispatch = False | True
  • if True, the module framework will force a search to be kicked off at that point in the view hierarchy, (unless the search has already been dispatched by an upstream module). This determination is normally made automatically but with ConditionSwitchers you often want to make the conditional determination based on a running job.
  • defaults to: False
• selected
  • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

LinkSwitcher

Example here: LinkSwitcher

(extends TabSwitcher) This is a subclass of AbstractSwitcher, and when configured to have N children (and thus N subtrees of descendant modules), it will display the a link for each child. When the user clicks a different link, the corresponding child and its descendant modules will be shown on screen and all other child modules (and descendants thereof) will be hidden.

required params

• label
  • This specifies the text that should appear to the left of the links.
• mode = independent | serializeAll
  • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

• disableOnNull = True | False
  • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
  • defaults to: False
• hideChildrenOnLoad = True | False
  • Indicates if child modules are hidden via CSS by default
  • defaults to: False
• selected
  • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

PulldownSwitcher

(extends AbstractSwitcher) Creates a pull-down menu populated with results from its children. Shows one set of child modules at a time. Children can be serialized -- they pass results on -- or independent.

required params

• label
  • This specifies the text that should appear to the left of the pulldown.
• mode = independent | serializeAll
  • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

• disableOnNull = True | False
  • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
  • defaults to: False
• hideChildrenOnLoad = True | False
  • Indicates if child modules are hidden via CSS by default
  • defaults to: False
• selected
  • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

TabSwitcher

(extends AbstractSwitcher) This is a subclass of AbstractSwitcher, and when configured to have N children (and thus N subtrees of descendant modules), it will display the 'group' params of those modules in a set of tabs. Like PulldownSwitcher, this module shows only one child at a time. Displays the results of its child modules in a set of tabs. When the user clicks a different tab, the corresponding child and its descendant modules are shown on screen and all other child modules (and descendants thereof) are hidden.

required params

• mode = independent | serializeAll
  • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

• disableOnNull = True | False
  • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
  • defaults to: False
• hideChildrenOnLoad = True | False
  • Indicates if child modules are hidden via CSS by default
  • defaults to: False
• selected
  • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

ShowHideHeader

(extends AbstractSwitcher) This is a somewhat restrictive switcher class, in that it should only ever have two children, and the second child tree should be either a null module, or in theory some short text like '(click the link above to show formatting options)'

required params

• label
  • Specify the text that should appear in the header.
• mode = independent | serializeAll
  • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

• disableOnNull = True | False
  • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
  • defaults to: False
• headerType = primary | secondary
  • This sets whether or not the header should be the large or the smaller version. Currently only the two existing styles are possible.
  • defaults to: primary
• hideChildrenOnLoad = True | False
  • defaults to: False
• selected
  • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

Internal modules

You probably won't ever use these.

Jobs

JobManager

(extends Splunk.Module) This large module dominates the page and is intended to supply management functionality for many previously dispatched searches.

required params

• jobStatusSetting
• namespaceSetting
• ownerSetting

optional params

• count
  • defaults to: 10
• offset
  • defaults to: 0
• sortDir
  • defaults to: desc
• sortKey
  • defaults to: createTime

JobStatus

(extends DispatchingModule) This module is intended to supply basic search management functionality and information/general status information.

required params

(none)

optional params

• autoPauseInterval
  • Number of seconds to wait before automatically pausing the running job; only active when the Search.Context object contains a 'auto_pause' setting = true.
  • defaults to: 30
• hideOnJobDone = True | False
  • in certain cases (notably in Report Builder), the JobStatus module is only visible while the search is running, and when the search has finished, it dissappears and a different module takes its place.
  • defaults to: False
• resultsLink
  • This param itself contains nested params. It is a is a dictionary of config values that specifies behaviour for a link that should only be shown to the user when the search has completed. The link sends the user to the configured view (within the same app), and Splunk loads that view with these search results. Contains a required 'viewTarget' sub-param that is the view to which the user should be sent. And also an optional 'popup' sub-param that when True will make the link open a new popup window.

Report builder

BaseReportBuilderField

(extends Splunk.Module) This is the abstract base class of all of the report_builder modules that effect the underlying search.

required params

(none)

optional params

(none)

ReportBuilderSearchField

(extends BaseReportBuilderField) this is a class for report builder, that has significantly more complex behaviour than SearchField, and is useful only in the report_builder view

required params

(none)

optional params

(none)

ReportSubType

(extends BaseReportBuilderField) This module contains a pulldown that allows you to split 'trend over time' and 'correlation' searches by a single field, split them by multiple series, or not split them at all.

required params

(none)

optional params

(none)

ReportType

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the general type of report that you are trying to build. Examples of its options are 'trend over time', 'correlation', 'top values of a given field' etc..

required params

(none)

optional params

(none)

SplitByChooser

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the field that you wish to split by, when doing a 'trend over time' or 'correlation' search, and when youve chosen to split by a single field.

required params

(none)

optional params

(none)

StatChooser

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the aggregator function that you wish to apply to your y-axis field. Its options include functions like 'sum', 'average', 'count' and 'distinct count', .

required params

(none)

optional params

(none)

TimeRangeBinning

(extends BaseReportBuilderField) This module contains a text field and a pulldown, that together the user can use to set the size of buckets in 'trend over time' searches. The first field takes an integer, and the pulldown contains options of 'month, day, hour, minute, second'

required params

(none)

optional params

(none)

Base class

Splunk.Module

This is the abstract base class for all modules.

required params

(none)

optional params

(none)

DispatchingModule

(extends Splunk.Module) This is the abstract base class for all modules that can only work with dispatched searches. In a nutshell all modules inheriting from this module will have all the functionality needed to display data from asynchronous searches. When a parent module tries to pass along a search to one of these modules, that search will be dispatched beforehand. As such, the code within dispatching module classes always assumes that the search has already started running.

required params

(none)

optional params

(none)

• Was this topic useful?
• Post a comment