Setup screen example
Setup screen example
The following example illustrates a setup screen for an app, MySampleApp.
MySampleApp contains three saved searches and a scripted input. In the setup screen, the user specifies the following configurations:
- Interval for running the scripted input
- Enable or disable one the Web Search
- The cron schedule for each of the searches
- The earliest dispatch time for all the searches.
This setup screen modifies savedsearches.conf and inputs.conf.
In this example:
- The configuration files already exist in
$SPLUNK_HOME/etc/apps/MySampleApp/default/. - The configuration file contains the stanzas you are modifying.
- The values present in the stanza represent the default values displayed by the setup screen.
- If the user changes the default settings to a configuration file from the setup screen, Splunk writes the updates to the configuration file in
$SPLUNK_HOME/etc/apps/MySampleApp/local/.
The setup screen uses the following REST endpoints to update the configuration:
https://localhost:8089/servicesNS/nobody/MySampleApp/saved/searches/ https://localhost:8089/servicesNS/nobody/MySampleApp/data/inputs/script/
Configuration files for the example
Here are the default configuration files:
savedsearches.conf
[Web Search] search = sourcetype=access_combined ( 404 OR 500 OR 503 ) dispatch.earliest_time = -1d cron_schedule = */5 * * * * enableSched = 1 [Firewall Data Search] search = sourcetype=cisco_wsa .exe usage!="Unknown" dispatch.earliest_time = -1d cron_schedule = */5 * * * * enableSched = 0 [Email Data Search] search = sourcetype=cisco_esa OUTBREAK_* dispatch.earliest_time = -1d cron_schedule = */5 * * * * enableSched = 0
inputs.conf
[script://$SPLUNK_HOME/etc/apps/MySampleApp/bin/myscript.sh] interval = 60 sourcetype = customsourcetype source = customsource
setup.xml
Here is the setup.xml file that implements the setup screen. Note the following in the setup.xml file:
- The entity specifying the path to scripted input uses URI encoding
- The field for the Web Search uses the REST endpoint,
is_scheduled. This updates theenableSchedfield in the[Web Search]stanza. - The text blocks use HTML entities to specify italic and bold for the type.
- In the block that configures the cron schedule, entity specifies the regex '*' to specify all searches. The block contain examples for specifying iteration mode and bulk mode
- See "setup.xml syntax" on Step 7: configure a setup screen for details on the syntax used in the example
setup.xml
<setup>
<!-- Note that the path to the script uses URI encoding -->
<block title="Enable a scripted input"
endpoint="data/inputs/script"
entity="%24SPLUNK_HOME%252Fetc%252Fapps%252FMySampleApp%252Fbin%252Fmyscript.sh">
<text>
<i>Specify the configuration for a single setting in a stanza.</i>
</text>
<input field="interval">
<label>Specify the interval for [$name$] </label>
<type>text</type>
</input>
</block>
<block title="Enable the schedule for a search"
endpoint="saved/searches" entity="Web Search">
<text>
<i>Specify the configuration for a single setting in a stanza.</i>
</text>
<!-- The field "is_scheduled" maps to the enableSched setting in savedsearches.conf -->
<input field="is_scheduled">
<label>Enable Schedule for $name$</label>
<type>bool</type>
</input>
</block>
<block title="Configure Cron Schedule"
endpoint="saved/searches" entity="*" mode="iter">
<text>
<i><b>Iteration mode</b>:
specify the cron schedule for each search in the conf file.</i></text>
<input field="cron_schedule">
<label>$name$</label>
<type>text</type>
</input>
</block>
<!-- an example of bulk change - enable all searches -->
<block title="Set earliest dispatch time"
endpoint="saved/searches" entity="*" mode="bulk">
<text>
<i><b>Bulk mode</b>: enable the earliest dispatch time for each search in the conf file.</i>
</text>
<input field="dispatch.earliest_time">
<label>Set earliest dispatch time for all searches</label>
<type>text</type>
</input>
</block>
</setup>
This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.