As a knowledge manager you should ensure that your saved searches and reports appear in the top-level navigation menus of your Splunk apps in a logical manner that facilitates ease of discovery. To do this you need to customize the navigation menus for your apps. If you fail to attend to your navigation menus, over time they may become overlong and inefficient, as saved searches and reports are added without subsequent categorization.
To manage the way your searches are saved and organized in the top-level navigation menu for an app, you need to work with the code behind the nav menu. When you do this, keep in mind that the nav code refers to lists of searches and reports as collections.
The following subtopics describe various things you can do to organize your saved search and reports listings in the top-level navigation menu. For details on how to adjust the XML code for the navigation menu, see "Build navigation for your app" in the Developer manual.
Set up a default collection
Each app should have a default collection set up for "unclassified" searches. Unclassified searches are any searches that haven't been explicitly identified in the nav menu code. This is the collection in which all newly saved searches appear. In the Search app, for example, the default collection is Searches & Reports.
If you do not set up a default collection, you will have to manually add saved searches to the nav code to see them in your app's top-level navigation menu.
Note: A default collection should also be set up for unclassified views and dashboards.
For detailed instruction on setting up a default collection by editing the navigation XML, see "Build navigation for your app" in the Developer manual.
Organize saved searches in nested collections
As the number of saved searches and reports that are created for an app grows, you're going to want to find ways to organize those searches in a logical manner. You can manually construct collections that group lists together by function. Going further, you can set up nested collections that subdivide large collections into groups of smaller ones.
In the Search app, nested collections are used to group similar types of searches together:
For detailed instruction on organizing saved searches and reports in nested collections by editing the navigation XML, see "Build navigation for your app" in the Developer manual.
Dynamically group together saved searches
Collections can be set up to dynamically group together saved searches that have matching substrings in their names. For example, in the Search app example above, a nested collection groups together all uncategorized searches with the string "admin" in their titles.
There are two ways that saved searches can be dynamically grouped together with matching substrings:
- As a collection of uncategorized substring-matching searches, which means that the collection only displays searches that haven't been manually added to another collection.
- As a collection of all substring-matching searches, which means that the collection displays all searches with the matching substring whether or not they appear elsewhere in the navigation menu.
Note: In both cases, only saved searches and reports that are available to the app with which the navigation menu is associated are displayed.
For detailed instruction on setting up your navigation XML so it dynamically groups together similar saved searches, see "Build navigation for your app" in the Developer manual.
Design form searches
Use summary indexing for increased reporting efficiency
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7