Developing Dashboards, Views, and Apps for Splunk Web

 


Lister modules

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Lister modules

Use lister modules to add lists to your dashboards. There are two types of listers:

  • Entity listers Entity listers build lists from REST endpoints. Use entity listers to create lists of users, saved searches or other objects within Splunk.
  • Search listers Search listers build lists from searches run in the module. All search listers essentially work the same -- they only differ cosmetically. If prefer to have have radio buttons, use SearchRadioLister.

Add chrome and nav

First add the chrome and nav for your view:

<view template="dashboard.html">
  <label>Lister intro</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>
  . . .
</view>

SearchSelectLister

This basic example uses a SearchSelectLister to generate the top ten sourcetypes with the most data indexed in the last hour. When a user clicks on a sourcetype in the list, they are redirected to the timeline view, which runs a search for just the events from that sourcetype over the past two hours.

  . . .
  <module name="HiddenSearch" layoutPanel="panel_row2_col1"
        group="Drilldowns - 1"  autoRun="True">
    <param name="search">*</param>
    <param name="earliest">-2h</param>
    
    <module name="SearchSelectLister">
      <param name="settingToCreate">series_setting</param>
      <param name="search">index=_internal</param>
      <param name="earliest">-1h</param>
      <param name="label">source</param>
      <param name="searchWhenChanged">True</param>
      <param name="searchFieldsToDisplay">
        <list>
          <param name="label">series</param>
          <param name="value">series</param>
        </list>
      </param>
      
      <module name="ConvertToIntention">
        <param name="settingToConvert">series_setting</param>
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
            <param name="sourcetype">$target$</param>
          </param>
        </param>
        
        <module name="SubmitButton">
          <param name="label">Drilldown 1</param>
          
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
          
        </module><!-- End SubmitButton -->
      </module><!-- End ConvertToIntention -->
    </module><!-- End SearchSelectLister -->
  </module><!-- End HiddenSearch -->

SearchLinkLister

This example is the same as the previous, except it uses SearchLinkLister and ViewRedirector instead of SearchSelectLister.

  . . .
  <module name="HiddenSearch" layoutPanel="panel_row2_col2"
          group="Drilldowns - 2" >
    <param name="search">*</param>
    <param name="earliest">-2h</param>
    
    <module name="SearchLinkLister">
      <param name="settingToCreate">series_setting</param>
      <param name="search">index=_internal</param>
      <param name="earliest">-1h</param>
      <param name="searchWhenChanged">True</param>
      <param name="searchFieldsToDisplay">
        <list>
          <param name="label">series</param>
          <param name="value">series</param>
        </list>
      </param>
      
      <module name="ConvertToIntention">
        <param name="settingToConvert">series_setting</param>
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
            <param name="sourcetype">$target$</param>
          </param>
        </param>
        
        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
        </module>
        
      </module><!-- End ConvertToIntention -->
    </module><!-- End SearchLinkLister -->
  </module><!-- End HiddenSearch -->
  . . .

EntityLinkLister

This example shows how to use an EntityLinkLister module. This module lets you access configurations and knowledge objects from REST endpoints within Splunk. The below example returns a list of saved searches that are available (using Splunk's permissions system) to the current Splunk user and app. Clicking on the searches in the list runs the search in the default search (timeline) view.

<view template="dashboard.html">
  <label>Lister intro</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="EntityLinkLister" layoutPanel="panel_row1_col1">
    <param name="entityPath">saved/searches</param>
    <param name="settingToCreate">savedSearch</param>

    <param name="entityFieldsToDisplay">
      <list>
        <param name="label">name</param>
        <param name="value">name</param>
      </list>
    </param>

    <module name="HiddenSearch" >
      <param name="search">| savedsearch "$savedSearch$"</param>
    
      <module name="ConvertToIntention">
        <param name="intention">
          <param name="name">stringreplace</param>
            <param name="arg">
              <param name="savedSearch">
                <param name="fillOnEmpty">True</param>
                <param name="value">$savedSearch$</param>
              </param>
            </param>
          </param>
        
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
          
      </module> <!-- End ConvertToIntention -->
    </module> <!-- End HiddenSearch -->
  </module> <!-- End EntityLinkLister -->
</view>

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!