Splunk® Enterprise

Developing Dashboards, Views, and Apps for Splunk Web

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Setup screen example

The following example illustrates a setup screen for an app, MySampleApp.

MySampleApp contains three saved searches and a scripted input. In the setup screen, the user specifies the following configurations:

  • Interval for running the scripted input
  • Enable or disable one the Web Search
  • The cron schedule for each of the searches
  • The earliest dispatch time for all the searches.

This setup screen modifies savedsearches.conf and inputs.conf.

Sample setup screen

In this example:

  • The configuration files already exist in $SPLUNK_HOME/etc/apps/MySampleApp/default/.
  • The configuration file contains the stanzas you are modifying.
  • The values present in the stanza represent the default values displayed by the setup screen.
  • If the user changes the default settings to a configuration file from the setup screen, Splunk writes the updates to the configuration file in $SPLUNK_HOME/etc/apps/MySampleApp/local/.

The setup screen uses the following REST endpoints to update the configuration:

https://localhost:8089/servicesNS/nobody/MySampleApp/saved/searches/
https://localhost:8089/servicesNS/nobody/MySampleApp/data/inputs/script/

Configuration files for the example

Here are the default configuration files:

savedsearches.conf

[Web Search]
search = sourcetype=access_combined ( 404 OR 500 OR 503 )
dispatch.earliest_time = -1d
cron_schedule = */5 * * * *
enableSched = 1

[Firewall Data Search]
search = sourcetype=cisco_wsa .exe usage!="Unknown"
dispatch.earliest_time = -1d
cron_schedule = */5 * * * *
enableSched = 0

[Email Data Search]
search = sourcetype=cisco_esa OUTBREAK_*
dispatch.earliest_time = -1d
cron_schedule = */5 * * * *
enableSched = 0

inputs.conf

[script://$SPLUNK_HOME/etc/apps/MySampleApp/bin/myscript.sh]
interval = 60
sourcetype = customsourcetype
source = customsource

setup.xml

Here is the setup.xml file that implements the setup screen. Note the following in the setup.xml file:

  • The entity specifying the path to scripted input uses URI encoding
  • The field for the Web Search uses the REST endpoint, is_scheduled. This updates the enableSched field in the [Web Search] stanza.
  • The text blocks use HTML entities to specify italic and bold for the type.
  • In the block that configures the cron schedule, entity specifies the regex '*' to specify all searches. The block contain examples for specifying iteration mode and bulk mode
  • See "setup.xml syntax" on Step 7: configure a setup screen for details on the syntax used in the example

setup.xml

<setup>

  <!-- Note that the path to the script uses URI encoding -->	
  <block title="Enable a scripted input"
         endpoint="data/inputs/script"
         entity="%24SPLUNK_HOME%252Fetc%252Fapps%252FMySampleApp%252Fbin%252Fmyscript.sh">
    <text>
      &lt;i&gt;Specify the configuration for a single setting in a stanza.&lt;/i&gt;
    </text>

    <input field="interval">
      <label>Specify the interval for [$name$] </label>
      <type>text</type>
    </input>
	
  </block>

  <block title="Enable the schedule for a search"
         endpoint="saved/searches" entity="Web Search">
    <text>
      &lt;i&gt;Specify the configuration for a single setting in a stanza.&lt;/i&gt;
    </text>

    <!-- The field "is_scheduled" maps to the enableSched setting in savedsearches.conf -->		
    <input field="is_scheduled">
      <label>Enable Schedule for $name$</label>
      <type>bool</type>
    </input>
	
  </block>

<block title="Configure Cron Schedule" 
       endpoint="saved/searches" entity="*" mode="iter">
    <text>
      &lt;i&gt;&lt;b&gt;Iteration mode&lt;/b&gt;:
      specify the cron schedule for each search in the conf file.&lt;/i&gt;</text>
    <input field="cron_schedule">
      <label>$name$</label>
      <type>text</type>
    </input>
  </block>
        
  <!-- an example of bulk change - enable all searches -->
  <block title="Set earliest dispatch time" 
         endpoint="saved/searches" entity="*" mode="bulk">
    <text>
      &lt;i&gt;&lt;b&gt;Bulk mode&lt;/b&gt;: enable the earliest dispatch time for each search in the conf file.&lt;/i&gt;
    </text>
    <input field="dispatch.earliest_time">
      <label>Set earliest dispatch time for all searches</label>
      <type>text</type>
    </input>
  </block>

</setup>
PREVIOUS
Files and directories for apps and add-ons
  NEXT
Setup screen example using a custom endpoint

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters