Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define navigation to saved searches and reports

As a knowledge manager you should ensure that your saved searches and reports appear in the top-level navigation menus of your Splunk apps in a logical manner that facilitates ease of discovery. To do this you need to customize the navigation menus for your apps. If you fail to attend to your navigation menus, over time they may become overlong and inefficient, as saved searches and reports are added without subsequent categorization.

To manage the way your searches are saved and organized in the top-level navigation menu for an app, you need to work with the code behind the nav menu. When you do this, keep in mind that the nav code refers to lists of searches and reports as collections.

The following subtopics describe various things you can do to organize your saved search and reports listings in the top-level navigation menu. For details on how to adjust the XML code for the navigation menu, see "Build navigation for your app" in the Developer manual.

Set up a default collection

Each app should have a default collection set up for "unclassified" searches. Unclassified searches are any searches that haven't been explicitly identified in the nav menu code. This is the collection in which all newly saved searches appear. In the Search app, for example, the default collection is Searches & Reports.

If you do not set up a default collection, you will have to manually add saved searches to the nav code to see them in your app's top-level navigation menu.

Note: A default collection should also be set up for unclassified views and dashboards.

For detailed instruction on setting up a default collection by editing the navigation XML, see "Build navigation for your app" in the Developer manual.

Organize saved searches in nested collections

As the number of saved searches and reports that are created for an app grows, you're going to want to find ways to organize those searches in a logical manner. You can manually construct collections that group lists together by function. Going further, you can set up nested collections that subdivide large collections into groups of smaller ones.

In the Search app, nested collections are used to group similar types of searches together:

Navigation nestedcollections.png

For detailed instruction on organizing saved searches and reports in nested collections by editing the navigation XML, see "Build navigation for your app" in the Developer manual.

Dynamically group together saved searches

Collections can be set up to dynamically group together saved searches that have matching substrings in their names. For example, in the Search app example above, a nested collection groups together all uncategorized searches with the string "admin" in their titles.

There are two ways that saved searches can be dynamically grouped together with matching substrings:

  • As a collection of uncategorized substring-matching searches, which means that the collection only displays searches that haven't been manually added to another collection.
  • As a collection of all substring-matching searches, which means that the collection displays all searches with the matching substring whether or not they appear elsewhere in the navigation menu.

Note: In both cases, only saved searches and reports that are available to the app with which the navigation menu is associated are displayed.

For detailed instruction on setting up your navigation XML so it dynamically groups together similar saved searches, see "Build navigation for your app" in the Developer manual.

Design form searches
Use summary indexing for increased reporting efficiency

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


There are now four links in this topic to the Developer Manual topic that will show you how to set up saved search and report navigation via XML updates. Please note that the topic being linked to can be used both for new and *existing* apps.

Mness, Splunker
February 25, 2013

This really look exactly what I need to do. But how do I do it? Especially if I don't have my own APP, I am not developing my own app. I just need to customize the search app better.

August 18, 2010

Per Robp, this document states that this can be done but doesn't direct the reader to the instructions and examples on how to do it. It would be a good idea to provide a link to that section of the doc.<br />-wolverine

August 13, 2010

found how to manually construct navigation here:<br /><br />http://www.splunk.com/base/Documentation/4.1.3/Developer/Step6BuildNavigation

July 7, 2010

How does one "manually construct collections that group lists together by function" as listed above?

July 7, 2010

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters