Splunk® Enterprise

Module System User Manual

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Module Reference

Important notice: As part of Advanced XML deprecation, the Module System is officially deprecated beginning with Splunk Enterprise 6.3. For more information, see Advanced XML Deprecation.

Base class

Splunk.Module

This is the abstract base class for all modules.

required params

(none)

optional params

(none)

DispatchingModule

(extends Splunk.Module) This is the abstract base class for all modules that can only work with dispatched searches.

required params

(none)

optional params

(none)

UnixDrilldown

(extends Splunk.Module) This module handles custom drilldown for the Unix app

required params

(none)

optional params

  • drilldownKey
    • Specify the field name for the drilldown, or omit to use just the event search for drilldown

Unix_FTR

(extends Splunk.Module) This module provides the facility to check if the unix app has been configured, as well as if the ta-unix add-on is concurrently installed, which represents a potential collision

required params

  • configLink
    • This parameter is the relative URL that admins should be redirected to

optional params

(none)

Unix_IFrame

(extends IFrameInclude) This module provides the Splunk *nix App with the ability to load a custom controller without a priori knowledge of the app namespace

required params

(none)

optional params

  • check_exists = False | True
    • DEPRECATED This checks to see if the remote or local src exists. It defaults to false. NOTE: Local app static files are skipped if check_exists is set to True.
    • defaults to: False
  • height
  • src
    • Not required by this module

Converters

ConvertToDrilldownSearch

(extends Splunk.Module) EXPERIMENTAL.

required params

(none)

optional params

  • drilldown.direction = up | down
    • EXPERIMENTAL - this determines whether drilldown intentions are sent to downstream modules or to upstream modules.
    • defaults to: down
  • drilldownPrefix
    • Not required. Since this defaults to 'click', by default the module will look for the keys 'click.name', 'click.value', 'click.name2', 'click.value2'. In cases where you are nesting multiple drilldown patterns in the same view, this key is available to look for keys like 'click2.name', or 'hostClick.value' instead.
    • defaults to: click
  • enableDebugOutput = True | False
    • when on, there will be some fields that output the args to the drilldown intention, as well as the timerange and underlying base Search
    • defaults to: False

ConvertToIntention

(extends Splunk.Module) Converts a setting value to an intention, which it adds to its context and passes to its children.

required params

  • intention
    • This is the intention to add to the current search context. If 'settingToConvert' is defined, use the "$target$" keyword within the intention somewhere to specify which value in the intention to replace. If 'settingToConvert' is omitted, you do not use "$target$" but instead specify the setting name or names directly , ie "$selectedHost$".

optional params

  • preserveParentIntentions
    • LEGACY. Has no function. this module was changed to *always* preserve existing intentions @62089 in june 2009, but this associated param was never removed.
    • defaults to: False
  • settingToConvert
    • When set, this defines the name of a single setting value that will be set the intention, and which is then specified with a special "$target$" syntax. It's easier to not set this parameter, in which case you're allowed to specify the keys directly like "selectedHost" or "$foo.bar$";

ConvertToRedirect

(extends Splunk.Module) Deprecated

required params

  • settingToConvert
  • type

optional params

(none)

Form elements

StaticRadio

(extends AbstractStaticFormElement)

required params

  • name
  • settingToCreate
  • staticFieldsToDisplay

optional params

  • checked
  • label
  • searchWhenChanged
    • defaults to: True

StaticSelect

(extends AbstractStaticFormElement)

required params

  • settingToCreate
  • staticFieldsToDisplay

optional params

  • label
  • searchWhenChanged
    • defaults to: True
  • selected

Include

AjaxInclude

(extends Splunk.Module) Deprecated: EXPERIMENTAL. A simple wrapper for integrating external content via XMLHTTPRequest within the module framework. Note this is limited to same domain constraints. Emulates iframe like behavior (page is not refreshed on clicks) and binds an ajaxForm handler to all forms.

required params

  • endpoint
    • This determines the initial endpoint.

optional params

  • data
    • The associated query string name/value pairs to add to the POST/GET request.
  • focus
    • An optional element selector to apply form element focus on. See http://docs.jquery.com/Selectors for selector syntax. Defaults to an auto-focus algorithm if undefined. To disable auto-focus provide an invalid selector such as "foobar"
  • hrefattributes
    • The regular expression attributes for anchor element href attribute values that should not refresh the page on click/keydown. Defaults to no attributes excluding anchor elements with target or rel values.
  • hrefpattern
    • The regular expression pattern for anchor element href attribute values that should not refresh the page on click/keydown. Defaults to matching everything excluding anchor elements with target or rel values.
    • defaults to: .*
  • method = GET | POST
    • The type of initial request to make "POST" or "GET".
    • defaults to: GET

IFrameInclude

(extends Splunk.Module) This simple module uses an inline frame (iframe) to show content from another URL.

required params

  • src
    • This is the URL to a remote resource to be displayed in the module. Supports remote URI's (ie., http://foobar.com/hello), local app static files (ie., hello.html found in $SPLUNK_HOME/etc/apps/$APPNAME/appserver/static) and relative locations (ie., /manager).

optional params

ServerSideInclude

(extends Splunk.Module) This module supports the concept of server side includes for custom content. Additionally, the Mako (see: http://www.makotemplates.org/) template language is supported.

required params

  • src
    • This specifies the static html file that should be displayed in the given view. When you give it a filename, Splunk attempts to fetch the file from the current application static folder: /etc/apps/<app_name>/appserver/static/* (Note: absolute URI's not supported). If the resource can't be found, a simple message inline is displayed.

optional params

(none)

Jobs

JobManager

(extends Splunk.Module) This large module dominates the page and is intended to supply management functionality for many previously dispatched searches.

required params

  • jobStatusSetting
  • namespaceSetting
  • ownerSetting

optional params

  • count
    • defaults to: 10
  • offset
    • defaults to: 0
  • sortDir
    • defaults to: desc
  • sortKey
    • defaults to: dispatch_time

JobStatus

(extends DispatchingModule) This module is intended to supply basic search management functionality and information/general status information.

required params

(none)

optional params

  • actionsMenuFilter
    • Sets the filter on which action menu items to show.
    • defaults to: False
  • autoPauseInterval
    • Number of seconds to wait before automatically pausing the running job; only active when the Search.Context object contains a 'auto_pause' setting = true.
    • defaults to: 30
  • enableWizards = True | False
    • Controls the display of wizard work flows.
    • defaults to: True
  • hideOnJobDone = True | False
    • in certain cases (notably in Report Builder), the JobStatus module is only visible while the search is running, and when the search has finished, it dissappears and a different module takes its place.
    • defaults to: False
  • resultsLink
    • This param itself contains nested params. It is a dictionary of config values that specifies behaviour for a link that should only be shown to the user when the search has completed. The link sends the user to the configured view (within the same app), and Splunk loads that view with these search results. Contains a required 'viewTarget' sub-param that is the view to which the user should be sent. And also an optional 'popup' sub-param that when True will make the link open a new popup window.
  • showCreateMenu
    • Set a bool to determin if the Create menu should be displayed
    • defaults to: True
  • showSaveMenu
    • Set a bool to determin if the Save menu should be displayed
    • defaults to: True

Lister

EntityLinkLister

(extends AbstractEntityLister)

required params

  • entityPath
    • This should be a valid entity path such as saved/searches.

optional params

  • count
    • The number of list elements to list. This value only pertains to the dynamically generated list elements, not to the static elements. In some concrete implementations, this value can be provided by a Paginator module and provide paging behavior.
  • delimiter
    • The character to use to separate each listed field. Some concrete implementations of lists do not use the delimiter, such as the options lister.
    • defaults to: |
  • entityFieldsToDisplay
    • The entity fields to display. These are specified as <list> objects in a view xml specification and must contain at least a "label" definition or a "multiLabel" definition. If "label" is defined it should be set to the name of a field in the entity listing that will become the label of the generated list. If "multiLabel" is defined it must be specified as a Python sprintf string where the tokens should map to fields in the entity list. The <list> object may also contain the following options: "value" definition which is used by child classes to define the lister's behavior.
  • namespace
    • The namespace to use when requesting the list of entities. Normally this defaults to the current application's name.
  • offset
    • The starting offset for the dynamically generated list elements.
  • outputMode
    • This is set to li by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you really know what you're doing).
    • defaults to: li
  • owner
    • The owner to use when requesting the list of entities. Normally this defaults to the current user.
  • postProcess
    • The post process search to apply to the entity request.
  • searchWhenChanged
    • Usually the concrete Lister modules push their changes to their children when a user has acted on the list of elements. In some cases this is not desirable, such as in the simplified form configurations.
    • defaults to: True
  • settingToCreate
    • The setting to generate and pass down to child modules.
  • sortDir = asc | desc
    • The direction to sort the results. This option may only be defined if the sortKey option is also defined.
  • sortKey
    • The field on which to sort the results. This is often deferred to Python's default sort algorithm and will observe Python's sort behavior.
  • staticFieldsToDisplay
    • A set of <list> objects which define static list elements to add to the dynamically generated list elements. For example a static option with a label of "Any" and a value of "*" might be desired in addition to a list of saved searches generated by the entity lister. Static fields are defined in much the same way as entity fields, as <list> objects with a "label" definition that is set to the explicit label (i.e. "Any") and an optional value definition set to the value (i.e. "*").

EntityRadioLister

(extends AbstractEntityLister)

required params

  • entityPath
    • This should be a valid entity path such as saved/searches.
  • name
    • The name of the form to create.
  • settingToCreate

optional params

  • checked
    • The radio button to select after rending the options from a search.
  • count
    • The number of list elements to list. This value only pertains to the dynamically generated list elements, not to the static elements. In some concrete implementations, this value can be provided by a Paginator module and provide paging behavior.
  • delimiter
    • The character to use to separate each listed field. Some concrete implementations of lists do not use the delimiter, such as the options lister.
    • defaults to: |
  • entityFieldsToDisplay
    • The entity fields to display. These are specified as <list> objects in a view xml specification and must contain at least a "label" definition or a "multiLabel" definition. If "label" is defined it should be set to the name of a field in the entity listing that will become the label of the generated list. If "multiLabel" is defined it must be specified as a Python sprintf string where the tokens should map to fields in the entity list. The <list> object may also contain the following options: "value" definition which is used by child classes to define the lister's behavior.
  • label
    • The label to apply to the set of radio buttons.
  • namespace
    • The namespace to use when requesting the list of entities. Normally this defaults to the current application's name.
  • offset
    • The starting offset for the dynamically generated list elements.
  • outputMode
    • This is set to radio by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
    • s as radio buttons).
    • defaults to: radio
  • owner
    • The owner to use when requesting the list of entities. Normally this defaults to the current user.
  • postProcess
    • The post process search to apply to the entity request.
  • searchWhenChanged
    • Usually the concrete Lister modules push their changes to their children when a user has acted on the list of elements. In some cases this is not desirable, such as in the simplified form configurations.
    • defaults to: True
  • sortDir = asc | desc
    • The direction to sort the results. This option may only be defined if the sortKey option is also defined.
  • sortKey
    • The field on which to sort the results. This is often deferred to Python's default sort algorithm and will observe Python's sort behavior.
  • staticFieldsToDisplay
    • A set of <list> objects which define static list elements to add to the dynamically generated list elements. For example a static option with a label of "Any" and a value of "*" might be desired in addition to a list of saved searches generated by the entity lister. Static fields are defined in much the same way as entity fields, as <list> objects with a "label" definition that is set to the explicit label (i.e. "Any") and an optional value definition set to the value (i.e. "*").

EntitySelectLister

(extends AbstractEntityLister)

required params

  • entityPath
    • This should be a valid entity path such as saved/searches.
  • settingToCreate

optional params

  • count
    • The initial number of entity items to load.
  • delimiter
    • The character to use to separate each listed field. Some concrete implementations of lists do not use the delimiter, such as the options lister.
    • defaults to: |
  • entityFieldsToDisplay
    • The entity fields to display. These are specified as <list> objects in a view xml specification and must contain at least a "label" definition or a "multiLabel" definition. If "label" is defined it should be set to the name of a field in the entity listing that will become the label of the generated list. If "multiLabel" is defined it must be specified as a Python sprintf string where the tokens should map to fields in the entity list. The <list> object may also contain the following options: "value" definition which is used by child classes to define the lister's behavior.
  • label
  • namespace
    • The namespace to use when requesting the list of entities. Normally this defaults to the current application's name.
  • offset
    • The starting offset for the dynamically generated list elements.
  • outputMode
    • This is set to options by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
    • s in your <select>s).
    • defaults to: options
  • owner
    • The owner to use when requesting the list of entities. Normally this defaults to the current user.
  • postProcess
    • The post process search to apply to the entity request.
  • searchWhenChanged
    • Usually the concrete Lister modules push their changes to their children when a user has acted on the list of elements. In some cases this is not desirable, such as in the simplified form configurations.
    • defaults to: True
  • selectUsingValue = True | False
    • If true, then select the option using its value. Otherwise, use its label.
    • defaults to: False
  • selected
    • The option to show as selected. This is based on the label value, for example "selected = Edit" looks for an option whose label value is also "Edit".
  • sortDir = asc | desc
    • The direction to sort the results. This option may only be defined if the sortKey option is also defined.
  • sortKey
    • The field on which to sort the results. This is often deferred to Python's default sort algorithm and will observe Python's sort behavior.
  • staticFieldsToDisplay
    • A set of <list> objects which define static list elements to add to the dynamically generated list elements. For example a static option with a label of "Any" and a value of "*" might be desired in addition to a list of saved searches generated by the entity lister. Static fields are defined in much the same way as entity fields, as <list> objects with a "label" definition that is set to the explicit label (i.e. "Any") and an optional value definition set to the value (i.e. "*").

SearchLinkLister

(extends AbstractSearchLister)

required params

(none)

optional params

  • applyOuterIntentionsToInternalSearch
    • if set to True, any intentions passed down from an upstream module will be used to drive the internal search of this module. This should be used with caution, but when used carefully allows form elements to drive each others searches in interesting ways.
  • applyOuterTimeRangeToInternalSearch
    • if set to True, any timeRange passed down from an upstream module like TimeRangePicker, in addition to being used to effect the main searches in the page, will also be used to drive the internal search of this module.
  • count
    • The initial number of search items to load.
    • defaults to: 100
  • delimiter
    • defaults to: |
  • earliest
    • The earliest time to bound the search results by.
  • entityName = events | results
    • The type of search result data the module would like to work with. When entityName == results statusBuckets is set to 0, which cannot be overridden, in an attempt to significantly speed up the search.
    • defaults to: results
  • latest
  • namespace
  • outputMode
    • This is set to li by default so it need not be declared in a view configuration file. DO NO CHANGE THIS.
    • defaults to: li
  • owner
  • postProcess
    • The post process search to apply to the search request.
  • savedSearch
    • A valid saved search name.
  • search
    • A valid Splunk search string used to power the internal representation of the module.
  • searchFieldsToDisplay
  • searchWhenChanged
    • Usually the Lister modules should push their changes to their children. In some cases this is not desirable, such as in the simplified form configurations.
    • defaults to: True
  • settingToCreate
  • sortDir
  • sortKey
  • staticFieldsToDisplay
  • statusBuckets
    • defaults to: 300
  • tokenPrefix
    • defaults to: click
  • useHistory
    • When "savedSearch" is defined, this dictates whether a new job based on a saved search should be dispatched (useHistory == False), a cached job from a saved search's history should be used (useHistory == True) or if no job is cached in the saved search's history, dispatch a new job (useHistory == auto).
    • defaults to: Auto

SearchRadioLister

(extends AbstractSearchLister)

required params

  • name
    • The name of the form to create.

optional params

  • applyOuterIntentionsToInternalSearch
    • if set to True, any intentions passed down from an upstream module will be used to drive the internal search of this module. This should be used with caution, but when used carefully allows form elements to drive each others searches in interesting ways.
  • applyOuterTimeRangeToInternalSearch
    • if set to True, any timeRange passed down from an upstream module like TimeRangePicker, in addition to being used to effect the main searches in the page, will also be used to drive the internal search of this module.
  • checked
    • The radio button to select after rending the options from a search.
  • count
    • The initial number of search items to load.
    • defaults to: 100
  • delimiter
    • defaults to: |
  • earliest
    • The earliest time to bound the search results by.
  • entityName = events | results
    • The type of search result data the module would like to work with. When entityName == results statusBuckets is set to 0, which cannot be overridden, in an attempt to significantly speed up the search.
    • defaults to: results
  • label
    • The label to apply to the set of radio buttons.
  • latest
  • namespace
  • outputMode
    • This is set to radio by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
    • s as radio buttons).
    • defaults to: radio
  • owner
  • postProcess
    • The post process search to apply to the search request.
  • savedSearch
    • A valid saved search name.
  • search
    • A valid Splunk search string used to power the internal representation of the module.
  • searchFieldsToDisplay
  • searchWhenChanged
    • Usually the Lister modules should push their changes to their children. In some cases this is not desirable, such as in the simplified form configurations.
    • defaults to: True
  • settingToCreate
  • sortDir
  • sortKey
  • staticFieldsToDisplay
  • statusBuckets
    • defaults to: 300
  • tokenPrefix
    • defaults to: click
  • useHistory
    • When "savedSearch" is defined, this dictates whether a new job based on a saved search should be dispatched (useHistory == False), a cached job from a saved search's history should be used (useHistory == True) or if no job is cached in the saved search's history, dispatch a new job (useHistory == auto).
    • defaults to: Auto

SearchSelectLister

(extends AbstractSearchLister)

required params

(none)

optional params

  • applyOuterIntentionsToInternalSearch
    • if set to True, any intentions passed down from a parent module will be used to drive the internal search of this module. This should be used with caution, but when used carefully allows form elements to drive each others searches in interesting ways.
  • applyOuterTimeRangeToInternalSearch
    • if set to True, any timeRange passed down from an upstream module like TimeRangePicker, in addition to being used to effect the main searches in the page, will also be used to drive the internal search of this module.
  • count
    • The initial number of entity items to load.
  • delimiter
    • defaults to: |
  • earliest
    • The earliest time to bound the search results by.
  • entityName = events | results
    • The type of search result data the module would like to work with. When entityName == results statusBuckets is set to 0, which cannot be overridden, in an attempt to significantly speed up the search.
    • defaults to: results
  • label
  • latest
  • namespace
  • outputMode
    • This is set to options by default so it need not be declared in a view configuration file. DO NO CHANGE THIS (unless you like
    • s in your <select>s).
    • defaults to: options
  • owner
  • postProcess
    • The post process search to apply to the search request.
  • savedSearch
    • A valid saved search name.
  • search
    • A valid Splunk search string used to power the internal representation of the module.
  • searchFieldsToDisplay
  • searchWhenChanged
    • Usually the Lister modules should push their changes to their children. In some cases this is not desirable, such as in the simplified form configurations.
    • defaults to: True
  • selected
    • The option to show as selected. This is based on the label value, for example "selected = Edit" looks for an option whose label value is also "Edit".
  • settingToCreate
  • sortDir
  • sortKey
  • staticFieldsToDisplay
  • statusBuckets
    • defaults to: 300
  • tokenPrefix
    • defaults to: click
  • useHistory
    • When "savedSearch" is defined, this dictates whether a new job based on a saved search should be dispatched (useHistory == False), a cached job from a saved search's history should be used (useHistory == True) or if no job is cached in the saved search's history, dispatch a new job (useHistory == auto).
    • defaults to: Auto

Messaging

Message

(extends DispatchingModule) This module can display all messages to the user, or can be configured to display just a certain class of messages. Messages might come from searches, from alerts firing, from misconfiguration on the backend, from information about indexing status etc. The simplest configuration is a single Message instance with filter set to '*' -- meaning it will display all the messages broadcast. However, you can use multiple Message modules with different 'filter' params displayed in separate layout panels throughout a view. Messages are passed with a defined class, such as splunk.search.error. So if you have two Message instances, one configured with a filter of '*', and another with a filter of splunk.search, the latter will receive the splunk.search.error events, and the "*" instance will not. However when an unexpected message is passed down with the class of splunk.indexing.warn, the splunk.search instance will not display it but the '*' instance will.

required params

  • clearOnJobDispatch
    • Set to True to clear messages whenever a new search is dispatched.
  • filter
    • Specify a filter to listen to only certain classes of messages. When blank, the module displays all the messages broadcast.
  • maxSize
    • Set the number of messages to display before throwing away the oldest ones.

optional params

  • default
    • When present, the module loads with this value showing.
  • level
    • When set, will only emit messages equal to or higher than the specified level.
    • defaults to: *

Nav

AccountBar

(extends Splunk.Module) The bar at the top of most views, that contains the logo, says logged in as <user>, and contains the logout and admin links.

required params

(none)

optional params

  • cancelJobsOnLogoClick = True | False
    • Controls if a click on the app logo cancels all jobs or not.
    • defaults to: True
  • mode = popup | full | lite
    • When this is set to 'popup,' there are no links, the logo cannot be clicked, the view name is displayed instead of the app name, and there is a close button in the upper right. 'lite' mode displays only the account links and a back link, no logo or app menu.
    • defaults to: full
  • popupTitle
    • Title shown next to the Splunk logo on AccountBar in popup mode

AppBar

(extends Splunk.Module) This is the bar second from the top in most views. It contains the top level view categories (by default Dashboards Views Saved Searches), and the auxiliary links section (help | preferences | about).

required params

(none)

optional params

(none)

BreadCrumb

(extends Splunk.Module) Simple navigation breadcrumb for a multi-view flow.

required params

(none)

optional params

  • goBackOnJobCancelled = True | False
    • If True, whenever any job on the current page is cancelled the module will take the user away from the current view. If the module has no 'earlier' links, it will go to the default view in the current app. If the module does have a link to an 'earlier' view then it will go there. At that point it will make an effort to commit outstanding viewstate changes, swap out the (now dead) 'sid' for a corresponding 'q' arg in the permalink, and preserve any other existing querystring arguments.
    • defaults to: False
  • options
    • This is a list of views to link to as well as labels for the links. When absent, the Breadcrumb module can still print out the saved search name, or saved report name.

DashboardTitleBar

(extends DispatchingModule) A simple dashboard title bar with edit controls for simple xml dashboards.

required params

(none)

optional params

(none)

ManagerBar

(extends Splunk.Module) This is a header bar that shows up at the top of the view. Used specifically in Splunk Manager. When present in any view, it will display a header of "Manager: <view name>".

required params

(none)

optional params

(none)

TitleBar

(extends DispatchingModule) Control menu/actions menu. This module is persistent, and contains information such as the name of the dashboard, the name of the view, or the name of the view and associated saved search. The titlebar functions as a place for contextual actions, like saving a new search that has been run after loading a view.

required params

(none)

optional params

  • actionsMenuFilter
    • Sets the filter on which action menu items to show.
    • defaults to: False
  • showActionsMenu = True | False
    • Toggle whether or not to show the actions menu.
    • defaults to: True


Report builder

AdvancedModeToggle

(extends Splunk.Module) this is a class that wont be used outside of report builder, documentation for which is TBD.

required params

(none)

optional params

(none)

BaseReportBuilderField

(extends Splunk.Module) This is the abstract base class of all of the report_builder modules that effect the underlying search.

required params

(none)

optional params

(none)

ReportBuilderSearchField

(extends BaseReportBuilderField) this is a class for report builder, that has significantly more complex behaviour than SearchField, and is useful only in the report_builder view

required params

(none)

optional params

(none)

ReportSubType

(extends BaseReportBuilderField) This module contains a pulldown that allows you to split 'trend over time' and 'correlation' searches by a single field, split them by multiple series, or not split them at all.

required params

(none)

optional params

(none)

ReportType

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the general type of report that you are trying to build. Examples of its options are 'trend over time', 'correlation', 'top values of a given field' etc..

required params

(none)

optional params

(none)

SingleFieldChooser

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the field that you wish to use on the y-axis. This is generally used in conjunction with StatChooser which specifies the aggregator function for this field chosen here. Eg. if this module is set to 'kbps', and StatChooser is set to 'max', then the overall y-axis value will be max(kbps)

required params

(none)

optional params

(none)

SplitByChooser

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the field that you wish to split by, when doing a 'trend over time' or 'correlation' search, and when youve chosen to split by a single field.

required params

(none)

optional params

(none)

StatChooser

(extends BaseReportBuilderField) This module contains a pulldown that allows you to select the aggregator function that you wish to apply to your y-axis field. Its options include functions like 'sum', 'average', 'count' and 'distinct count', .

required params

(none)

optional params

(none)

TimeRangeBinning

(extends BaseReportBuilderField) This module contains a text field and a pulldown, that together the user can use to set the size of buckets in 'trend over time' searches. The first field takes an integer, and the pulldown contains options of 'month, day, hour, minute, second'

required params

(none)

optional params

(none)

Paginator

Paginator

(extends DispatchingModule) This module displays a series of links to page around in your data. It must be configured to page either through the 'events' or the 'results' of your search.

required params

  • entityName = events | results | settings | auto
    • This determines whether the paginator builds links based on the number of events, the number of final results, or a settings map change. (While these are often the same, in searches with transforming commands these numbers are generally different.)

optional params

  • count
    • This determines the number of items to be shown per page.
    • defaults to: 10
  • maxPages
    • This determines the maximum number of page links that the module will display on the page at a time.
    • defaults to: 10

Results

AddTotals

(extends DispatchingModule) This module contains a checkbox that toggles whether or not results are previewable.

required params

(none)

optional params

  • enable
    • This determines whether the control should be checked initially.
    • defaults to: false

AxisScaleFormatter

(extends BaseChartFormatter) This module contains a pulldown that allows you to choose whether you want the y-axis scale to be scaled logarithmically or linearly. When any other module has set the 'stacked' option, any log scaling becomes meaningless and so this module will both become invisible and revert to 'linear'.

required params

(none)

optional params

  • default
    • the selected axis scale type

BaseChartFormatter

(extends Splunk.Module) this is an abstract base class for other chart formatting modules. This module should never itself be configured within a view.

required params

(none)

optional params

(none)

ChartTitleFormatter

(extends BaseChartFormatter) This module contains a text field that you can use to set the overall title of your chart.

required params

(none)

optional params

  • default
    • Can be used to specify the default value for the module.
  • label
    • This is the string it displays. If not present, it defaults to 'Chart Title' (and it passes it through gettext for localization)

ChartTypeFormatter

(extends BaseChartFormatter) this module contains a pulldown that you can use to change between 'column', 'line', 'area' and various other chart types.

required params

(none)

optional params

  • default
    • Specifies the chart type that should be initially selected
    • defaults to: column
  • ensureCompatibleType
    • Ensures that the chart types are compatible with the search.
    • defaults to: false

Count

(extends DispatchingModule) This module allows the user to determine the number of events that should be displayed at a time.

required params

  • options
    • This is a list whose items have two required keys, 'text' and 'value'.

optional params

  • count
    • DEPRECATED. use 'default' instead. If both default and count are specified, count will be ignored.
  • default
    • Indicates the starting count value to broadcast to modules that are listening.

DataOverlay

(extends DispatchingModule) This module allows the user to determine the data overlay mode for results

required params

(none)

optional params

  • dataOverlayMode
    • DEPRECATED. use 'default'. If both dataOverlayMode and default are specified, dataOverlayMode will be ignored.
    • defaults to: none
  • default = none | heatmap | highlow
    • Indicates the data overlay mode with values of heatmap, highlow and none.
    • defaults to: none

EnablePreview

(extends DispatchingModule) This module contains a checkbox that toggles whether or not results are previewable.

required params

(none)

optional params

  • display = true | false
    • This is used to control whether or not the module is visible to the user. It was originally implemented to allow simple dashboards to have previewable results.
    • defaults to: true
  • enable
    • This determines whether the control should be checked initially.
    • defaults to: false

EventsViewer

(extends AbstractPagedModule) The EventsViewer module displays events resulting from the search that it's ancestor modules combined to specify. This module is very similar to SimpleEventsViewer, and one of these two modules will in the future be folded into the other.

required params

(none)

optional params

  • count
    • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
    • defaults to: 10
  • displayRowNumbers = True | False
    • this determines if row numbers are displayed or not.
    • defaults to: False
  • enableBehavior = True | False
    • This determines if mouseover, click, etc.. behavior is on or off.
    • defaults to: True
  • enableEventActions = True | False
    • This determines if event actions are enabled or not. NOTE: Setting enableEventActions to False will hide all field actions.
    • defaults to: True
  • enableFieldActions = True | False
    • This determines if field actions are enabled or not. NOTE: Setting enableFieldActions to False will hide all field actions.
    • defaults to: True
  • enableTermSelection = True | False
    • This determines if term selection is enabled for time, raw and field name/value pairs.
    • defaults to: True
  • entityName = events | results_preview
    • Indicates the job data feed to use
    • defaults to: events
  • fields
    • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
  • maxLines
    • This determines the number of lines to display per event. Set to 0 to remove the explicit number of lines to display (use maxLinesConstraint instead). Other modules, such as the MaxLines module, override this property unless you set it explicitly in this module.
    • defaults to: 10
  • maxLinesConstraint
    • Browser crash control for the maximum lines displayed.
    • defaults to: 500
  • offset
    • This determines the offset to use when retrieving results for the paged module.
    • defaults to: 0
  • reportFieldLink
    • When this is present, a field dropdown link enabling a report action is presented.
  • scrollerEnable = True | False
    • When present, this module param enables the scroller.
    • defaults to: False
  • scrollerMaxHeight
    • When scrollerEnable is True, this controls the scroller maximum pixel height constraint.
    • defaults to: 10000
  • scrollerMinHeight
    • When scrollerEnable is True, this controls the scroller minumum pixel height constraint.
    • defaults to: 0
  • segmentation = raw | inner | outer | full
    • this determines the segmentation with which the events should be rendered.
    • defaults to: outer
  • softWrap
    • This determines whether the events are wrapped or not
    • defaults to: true

Export

(extends DispatchingModule) Displays a link that launches the job export utility.

required params

  • exportType

optional params

(none)

FancyChartTypeFormatter

(extends ChartTypeFormatter) this module contains a styled pulldown that you can use to change between 'column', 'line', 'area' and various other chart types.

required params

(none)

optional params

  • default
    • The type of chart to render
    • defaults to: column
  • ensureCompatibleType
    • Ensures that the chart types are compatible with the search.
    • defaults to: false

FieldViewer

(extends AbstractPagedModule) This simple module shows the top N values for a given field, along with a number in parentheses showing the number of events that had the given value.

required params

  • field
    • This is the name of the search-time or index-time field for which the module will display the top values.

optional params

  • count
    • This is the number of most common values that the module should display.
    • defaults to: 10
  • fields
    • not used by this module (but technically it gets inherited from the abstract parent class).
  • link
    • If this option is present, the module will present a link to a view. On click will pass that view the ' | top <field>' search that would generate the corresponding chart. Values are a dictionary of keys: 'viewTarget', 'label'
  • maxLines
    • This determines the number of lines to display per event. Other modules, such as the MaxLines module, override this property unless you set it explicitly in this module.
    • defaults to: 10
  • offset
    • This determines the offset to use when retrieving results for the paged module.
    • defaults to: 0

FlashChart

(extends FlashWrapper) This module contains a Flash object that is capable of charting almost any search results that the Splunk backend can generate.

required params

(none)

optional params

  • drilldownPrefix
    • Not required. Since this defaults to 'click', by default the keys will come down in the context as 'click.name', 'click.value', 'click.name2', 'click.value2'. In cases where you are nesting multiple drilldown patterns in the same view, this key is used so that the second set of keys does not collide with the first. For example if you have a nested config you might set the first to "userClick", and the second to "applicationClick".
    • defaults to: click
  • enableResize = True | False
    • Control whether the flash movies display the vertical resize handle.
    • defaults to: True
  • height
    • This specifies the height of the module. It can be a percentage or a number of pixels.
    • defaults to: 210px
  • maxResultCount
    • This specifies the maximum number of results to render per series. For a single-series chart, this creates up to <maxResultCount> data points; for a multi-series chart with m series, this creates up to (m * <maxResultCount>) data points. In general, the practical limit should be set to the number of horizontal pixels available to the chart. For example, setting this to a value like 5000, when the available space for the chart on an average screen is around 500 pixels, will have an adverse performance effect on the UI with no visible difference in the chart.
    • defaults to: 1000
  • maxRowsForTop
    • This specifies how many rows of the data should be rendered for 'top' and 'rare' results. This value overrides maxResultCount when rendering results from the special-cased results.
  • swfFile
    • This is the path, relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash, that specifies the swf to load. The swf must conform to a very strict and thus-far undocumented spec that is not for external consumption.
    • defaults to: charting.swf
  • width
    • This specifies the width of the module. It can be a percentage or a number of pixels. Typically this is set to "100%" meaning it should fill all available space. It can also be set to a number of pixels by using a value like "500px".
    • defaults to: 100%

FlashTimeline

(extends DispatchingModule) This module contains a JavaScript object that is capable of displaying a chart of number of events over time. This chart will be updated asynchronously while the search is running.

required params

  • height
    • This specifies the height of the module. It can be a percentage or a number of pixels.
  • width
    • This specifies the width of the module. It can be a percentage or a number of pixels. Typically this is set to "100%" meaning it should fill all available space. It can also be set to a number of pixels by using a value like "500px".

optional params

  • enableResize = True | False
    • Control whether the module displays the vertical resize handle.
    • defaults to: True
  • maxBucketCount
    • Specifies the maximum number of buckets to render. This is mostly a failsafe mechanism to prevent the browser from crashing if the server returns an excessive number of buckets.
    • defaults to: 1000
  • minimized = True | False
    • when set to True, the timeline will be in a collapsed or minimized state. The user is free to open it or minimize it at any point, and any change they make will be remembered when they return to the given view.
    • defaults to: False
  • renderer = auto | canvas | flash
    • Specifies the renderer to use for the timeline. When set to auto, the module will use canvas if available, otherwise it will use flash.
    • defaults to: auto
  • statusBuckets
    • This is the maximum number of time buckets that the backend is can persist while it runs the search. When present, it overrides the default of 300. Values lower than 300 will result in slightly faster search times, but displays less information to the user.
    • defaults to: 300
  • swfFile
    • This is the path, relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash, that specifies the swf to load. The swf must conform to a very strict and thus-far undocumented spec that is not for external consumption.
    • defaults to: timeline.swf

FlashWrapper

(extends DispatchingModule) This is the base class for all Flash modules. Unlike FlashChart and FlashTimeline, this simple module makes no assumptions about the swf it is asked to load.

required params

  • height
    • This specifies the height of the module. It can be a percentage or a number of pixels.
  • swfFile
    • This is the path, relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash, that specifies the swf to load.
  • width
    • This specifies the width of the module. It can be a percentage or a number of pixels. Typically this is set to "100%" meaning it should fill all available space. It can also be set to a number of pixels by using a value like "500px".

optional params

  • enableResize = True | False
    • Control whether the flash movies display the vertical resize handle.
    • defaults to: True

Gimp

(extends Splunk.Module) Listens to all instructions and says nothing.

required params

(none)

optional params

(none)

HiddenChartFormatter

(extends Splunk.Module) this module contains a pulldown that you can use to change between 'column', 'line', 'area' and various other chart types.

required params

(none)

optional params

  • chart = area | bar | column | line | pie | scatter
    • Use this to change the overall type of chart you wish to generate.
  • chart.nullValueMode = connect | gaps | zero
    • Use this to that control how 'line' and 'area' charts should behave when there are gaps in the data. You can either treat null values as '0', leave an explicit gap, or interpolate between the values.
  • chart.stackMode = default | stacked | stacked100
    • Use this to make bar and area charts display in 'stacked' mode.
  • chartTitle
    • Use this to set the overall HTML title for the Flashchart module.
  • charting.*
    • This is a wildcard handler for dynamic charting properties; all must be prefixed by 'charting.'
  • legend.placement = right | bottom | left | top | none
    • Use this to change where the chart's legend is displayed relative to the chart itself
  • primaryAxisTitle.text
    • Use this to set the X-axis title. Note: in Bar chart this currently this sets the Y-axis title.
  • secondaryAxis.scale = log |
    • Use this to make the y-axis scale logarithmically or linearly. Values can be 'log' or (empty string).
  • secondaryAxisTitle.text
    • Use this to set the Y-axis title. Note: in Bar chart this currently this sets the X-axis title.

HiddenSoftWrap

(extends DispatchingModule) This module is the SoftWrap module that has no HTML component, and thus it is hidden.

required params

(none)

optional params

  • enable
    • This determines whether the control should be checked initially.
    • defaults to: true

JSChart

(extends DispatchingModule) This module contains a Javascript-based object that is capable of charting almost any search results that the Splunk backend can generate.

required params

(none)

optional params

  • drilldownPrefix
    • Not required. Since this defaults to 'click', by default the keys will come down in the context as 'click.name', 'click.value', 'click.name2', 'click.value2'. In cases where you are nesting multiple drilldown patterns in the same view, this key is used so that the second set of keys does not collide with the first. For example if you have a nested config you might set the first to "userClick", and the second to "applicationClick".
    • defaults to: click
  • enableResize = True | False
    • Control whether the chart displays the vertical resize handle.
    • defaults to: True
  • height
    • This specifies the height of the module. It can be a percentage or a number of pixels.
    • defaults to: 210px
  • maxResultCount
    • This specifies the maximum number of results to render per series. For a single-series chart, this creates up to <maxResultCount> data points; for a multi-series chart with m series, this creates up to (m * <maxResultCount>) data points. In general, the practical limit should be set to the number of horizontal pixels available to the chart. For example, setting this to a value like 5000, when the available space for the chart on an average screen is around 500 pixels, will have an adverse performance effect on the UI with no visible difference in the chart.
    • defaults to: 500
  • maxRowsForTop
    • This specifies how many rows of the data should be rendered for 'top' and 'rare' results. This value overrides maxResultCount when rendering results from the special-cased results.
  • resultTruncationLimit
    • This specifies the limit - in total number of points among all series - that will be plotted before the results are truncated. When set to 0, the module dynamically chooses a value based on the browser type and charting configuration in use. Setting this to a large number can cause negative effects on performance.
    • defaults to: 0
  • width
    • This specifies the width of the module. It can be a percentage or a number of pixels. Typically this is set to "100%" meaning it should fill all available space. It can also be set to a number of pixels by using a value like "500px".
    • defaults to: 100%

LegendFormatter

(extends BaseChartFormatter) this module contains a pulldown that you can use to change how the chart legend is displayed relative to the chart itself.

required params

(none)

optional params

  • default
    • Specifies the legend position that should be initially selected.
    • defaults to: right

LineMarkerFormatter

(extends BaseChartFormatter)

required params

(none)

optional params

  • default
    • Specifies the line marker behavior that should be initially selected.
    • defaults to: false

LinkList

(extends DispatchingModule) DEPRECATED. This module is no longer supported, and should be replaced with one of the *Lister modules in the /lists subdirectory.

required params

  • labelField
    • This is the name of the result field whose value should be displayed in the label part of the link list. Link lists are generally a combination of a descriptive label and a numeric count or other (value) field.
  • valueField
    • This is the name of the result field whose value should be displayed in the value part of the link list. This is often a count or numeric value relevant to the "label" portion of the link list.

optional params

  • initialSort
    • The field in the result set to sort on when the link list is first rendered.
  • initialSortDir = asc | desc
    • The direction to sort the results based on the initialSort field.
    • defaults to: asc
  • labelFieldSearch
    • This is the search string to generate when the user clicks on the label field. It requires labelFieldTarget to be defined to a valid view. The value of the label field is automatically added to the search.
  • labelFieldTarget
    • This is the view to target if the label field is setup to generate a clickable link that dispatches a search.
  • valueFieldSearch
    • This is the search string that is generated when the user clicks on the value field. It requires valueFieldTarget to be defined to a valid view. The value of the label field is automatically added to the search.
  • valueFieldTarget
    • This is the view to target if the value field is setup to generate a clickable link that dispatches a search.

MaxLines

(extends DispatchingModule) This module creates a control that allows the user to set the maximum number of lines to display per event.

required params

  • options
    • This is a list whose items have two required keys, 'text' and 'value'

optional params

  • default
    • Indicates the default setting for max lines per event. The value here must match one of the values in the options param.
    • defaults to: 10
  • maxLines
    • DEPRECATED. use 'default' instead. if both default and maxLines are specified, maxLines will be ignored.
    • defaults to: 10

MultiFieldViewer

(extends AbstractPagedModule) This module is typically for use within the sidebar, and shows a set of field names, with distinct counts next to them in parentheses. When the user clicks on the field names, a popup layer will open showing the top 10 values for that field. Clicking then on one of those values will add the proper field=value term and re run the search.

required params

(none)

optional params

  • count
    • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
    • defaults to: 10
  • field
    • This field was a parameter on the parent class, but is not required for this class.
  • fields
    • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
  • link
    • If this option is present, a link will be presented. This is used for things like 'see top values over time' in the individual layers.
  • maxDisplayLength
    • Indicates the maximum number of characters of the field name to show in the main view. Excess characters will be stripped from the middle of the string. The tooltip on the field name will display the full field name value.
    • defaults to: 25
  • maxLines
    • This determines the number of lines to display per event. Other modules, such as the MaxLines module, override this property unless you set it explicitly in this module.
    • defaults to: 10
  • offset
    • This determines the offset to use when retrieving results for the paged module.
    • defaults to: 0

NotReporting

(extends Splunk.Module) Displayed when your search does not include a command to generate statistical results.

required params

(none)

optional params

(none)

NullValueFormatter

(extends BaseChartFormatter) This module contains a pulldown that controls how 'line' and 'area' charts should behave when there are gaps in the data. You can either treat null values as '0', leave an explicit gap, or interpolate between the values.

required params

(none)

optional params

  • default
    • This specifies the null value behavior that should be initially selected.
    • defaults to: gaps

ResultsActionButtons

(extends Splunk.Module) Implements a set of buttons with which the user can save, print, export and share the results of their search or report.

required params

(none)

optional params

  • editView
    • When this is present, and when the module is displaying a saved search or saved report, it allows the module to present an 'edit' link that launches the given 'editing' view in a popup window.
  • eventsView
    • When this is present, and when the module has loaded a specific set of results, it allows the module to present a 'view events' link that will take the user to the specified view to run the portion of their search before the first transforming command.
  • renderPDF
    • When this is present, and when the module has loaded a specific set of results, it allows the module to present a 'render PDF' link that will immediately render the given view

ResultsHeader

(extends SimpleResultsHeader) This module displays a header like '23,420 events' and is for placement generally above a FlashTimeline or above a set of modules implementing paging controls

required params

  • entityLabel
    • This specifies what should appear after the displayed number. Typically this will be a value like 'events', or 'results', but for very narrowly defined views it could be 'pages edited'.
  • entityName = events | results | scanned | auto
    • This specifies how the module should get the number that it displays.

optional params

  • entityLabelSingular
    • This is the singular form of the 'entityLabel' parameter. It is displayed when there is 1 result row returned from the search.
  • headerFormat
    • This is used by SimpleResultsHeader but it is not used here where we have different containers and possibly different styles for the count, the 'label' and the time header.
  • link
    • This is a dictionary of config values specifying behaviour for a link that the module can display. This link sends the user to a different view where this search result is displayed instead. It contains a 'label' key that is the link text, and a 'viewTarget' key that is the search result view to which the user should be sent, and a 'popup' key that, when set to True, makes the link open the search result view in a new popup window.
  • prefix
    • When this option is present, the value of this key will be displayed before the number displayed. For example you can set it to 'Found', for the overall display to come out as 'Found 23,420 events'

RowNumbers

(extends DispatchingModule) This module allows the user to determine if row numbering is enabled/disabled

required params

(none)

optional params

  • default
    • This determines whether the control should be checked initially.
    • defaults to: true
  • displayRowNumbers
    • DEPRECATED. use 'default' instead. if both default and displayRowNumbers are specified, displayRowNumbers will be ignored.
    • defaults to: true

SavedSearches

(extends Splunk.Module) Deprecated: this module has a custom python implementation that it uses to display the list of saved searches for the current user.

required params

(none)

optional params

(none)

SearchMode

(extends Splunk.Module) This module creates a drop-down menu that lets users select the search mode (Fast, Verbose and Smart)

required params

(none)

optional params

  • searchModeLevel = fast | smart | verbose
    • Indicates the back-end adhoc_search_level attribute used for dispatch.
    • defaults to: smart

SearchTextSetting

(extends TextSetting) A search text input field that passes its contents down to its children as part of the settings map, styled to have a mag glass icon.

required params

  • elementName
    • The name of the input element to be added to the UI.
  • settingName
    • This is the name of the setting to be added to a settings map and passed to a module's children.

optional params

  • label
    • An html label element that can be set for the given input text element.

Segmentation

(extends DispatchingModule) Deprecated: This module allows the user to determine the segmentation type to be displayed for events.

required params

  • options
    • This is a list whose items have two required keys, 'text' and 'value'. 'value can be one of raw,inner,outer,full.

optional params

  • default
    • Indicates the segmentation value to broadcast to modules that are listening.
    • defaults to: full
  • segmentation
    • DEPRECATED. Use default instead. If both default and segmentation are specified, segmentation will be ignored.
    • defaults to: full

Selector

(extends Splunk.Module) Creates a selction list from a set of options. Options can either be configured manually or by defining an entity endpoint from which to generate its options.

required params

  • name
    • The name of the html select element generated.

optional params

  • label
    • The test to appear to the left of the selector form element.
  • listEndpoint
    • This is required if mode=list. Relatively defined list endpoint to communicate with in order to generate the options list. For example if you want a list of all the local applications set listEndpoint to "entities/apps/local".
  • mode = static | list
    • This is the mode in which the Select should work. "static" implies that it will only use the list of options provided to it to render this list. "list" designates the use of a listing endpoint to generate the option elements.
    • defaults to: static
  • options
    • This is the list of options that Splunk displays in the dropdown selector. When in 'list' mode, Splunk displays the options defined here first and then displays options received from the listEndpoint beneath them. Each option includes a text key which is the text of the option, a value key which is the value of the option and an optional selected key which, when set to True sets the current option to selected. Selected should NOT be set manually when mode=list unless no selected option has been defined for the list.
  • selected
    • If the selected value is present in the option results, this sets that option to selected. This is optional in list mode. Note, setting selected manually in the options param may conflict with this setting.
  • text
    • This is the name of the field in the list endpoint's results that should be used to generate the text of the option elements. It is required in list mode. For example, if the list returns a field called name, setting text = name means that the name field will be used to generate the visible text of the option.
  • value
    • The name of the field from the list endpoint's results that should be used to set the value of an option element. It is required in list mode.

ShowSource

(extends DispatchingModule) This module waits for the search to complete and then renders a single field from the first row of the results

required params

(none)

optional params

  • maxLinesConstraint
    • Browser crash control for the maximum lines displayed.
    • defaults to: 500

SimpleResultsHeader

(extends DispatchingModule) This module displays a header like '23,420 events' and is for placement generally above a FlashTimeline or above a set of modules implementing paging controls

required params

  • entityName = events | results | scanned | auto
    • This specifies how the module should get the number that it displays.
  • headerFormat
    • This specifies how the module should get the number that it displays.

optional params

(none)

SimpleResultsTable

(extends AbstractPagedModule) this module waits for the search to complete, and then renders its final results in a tabular format.

required params

(none)

optional params

  • allowTransformedFieldSelect
    • This indicates whether or not Splunk should observe any field list setting while it renders transformed results. It is generally only used in fixed configuration situations like dashboards. It defaults to false, which results in all fields in a transforming search being displayed.
    • defaults to: false
  • count
    • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
    • defaults to: 10
  • dataOverlayMode
    • This indicates the default data overlay mode with values of heatmap, highlow and none.
    • defaults to: none
  • displayMenu
    • This controls whether table cells have a dropdown menu with search suggestions when clicked on.
    • defaults to: False
  • displayRowNumbers
    • If this is set to true then row numbers are displayed alongside each row in the table.
    • defaults to: on
  • drilldown = all | row | none
    • This indicates whether the module allows the user to select a particular cell. The behaviour is abstract though, and the specifics are determined by the child modules in the view.
    • defaults to: none
  • drilldownPrefix
    • Not required. Since this defaults to 'click', by default the keys will come down in the context as 'click.name', 'click.value', 'click.name2', 'click.value2'. In cases where you are nesting multiple drilldown patterns in the same view, this key is used so that the second set of keys does not collide with the first. For example if you have a nested config you might set the first to "userClick", and the second to "applicationClick".
    • defaults to: click
  • entityName = events | results | auto
    • This determines whether the viewer should build table row/columns based on events, results or auto detect.
    • defaults to: auto
  • fieldFormats
    • Override presentation options for specific fields. This is currently used to specify display options for sparklines.
    • defaults to: none
  • fields
    • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
  • maxLines
    • This determines the number of lines to display per event. Other modules, such as the MaxLines module, override this property unless you set it explicitly in this module.
    • defaults to: 10
  • offset
    • This determines the offset to use when retrieving results for the paged module.
    • defaults to: 0

SingleValue

(extends DispatchingModule) This module waits for the search to complete and then renders a single field from the first row of the results

required params

(none)

optional params

  • additionalClass
    • An optional additional css class name to add to the result container
  • afterLabel
    • Label to display after the result
  • beforeLabel
    • Label to display before the result
  • classField
    • Adds the value of the classField of the first result as an additional css class to the result container. Pre-defined classes include 'severe', 'elevated', 'low', and 'None' (default).
  • field
    • Field to display - Defaults to first field returned
  • format = number | decimal | percent | unixtime | none
    • Specifies the data formatting method to apply to the value. Locale aware. Defaults to none.
  • linkFields
    • Specify whether to just link the result, or include labels. To link the result and both labels, specify "result,beforeLabel,afterLabel"
    • defaults to: result
  • linkSearch
    • Specify a valid complete search query to turn the result into a clickable link
  • linkView
    • Specify which view to execute the linked search against
    • defaults to: dashboard

SoftWrap

(extends DispatchingModule) This module contains a checkbox that toggles whether or not events are soft-wrapped. When off, event text will break in the page only where there is a linebreak in the actual data, and scrollbars will appear as necessary. When on, the event text will also break at the edge of the window.

required params

(none)

optional params

  • enable
    • This determines whether the control should be checked initially.
    • defaults to: true

Sorter

(extends Splunk.Module) Sorter displays a list of fields that can be sorted upon. Given a list of field names, Sorter will create a set of delimited links which the user can click on. Clicking on these links will pass a "sort" setting down to Sorter's child modules which can iterpret how to preform the sort on their own.

required params

(none)

optional params

  • delimiter
    • The delimiter used to seperate each displayed field label.
    • defaults to: |
  • fields
    • This is a list of comma delimited field labels which are displayed. If the optional param field_values isn't provided, clicking a field label passes the field label as the field value. Order is preserved in the field label list display.
  • sortDir = asc | desc
    • This provides the direction to push a sort when a Sorter module is initiated.
    • defaults to: asc
  • sortKey
    • If this is provided, it initiates the Sorter with the defined label. When undefined, this defaults internally to the first field name defined in the view config.

SplitModeFormatter

(extends BaseChartFormatter) This module contains a pulldown that indicates whether or not to show multi-series data on a single combined plot vs. a separate plot for every series. For example, a search like "search error | timechart count by host" would render a separate chart for every "host" found.

required params

(none)

optional params

  • default = true | false
    • Specifies if the chart is to be split on series
    • defaults to: false

StackModeFormatter

(extends BaseChartFormatter) This module contains a pulldown that can be used to make bar and area charts display in 'stacked' mode. When the chart type is set to a value other than 'area' or 'column', this module becomes invisible and turns off the stacked mode if it was on.

required params

(none)

optional params

  • default
    • This specifies the default stack mode
    • defaults to: default

SuggestedFieldViewer

(extends MultiFieldViewer) This module shows fields that are not selected by FieldPicker (and thus not displayed in MultiFieldViewer or other modules) but which look like they might be interesting to the user.

required params

(none)

optional params

  • count
    • This determines the number of events to display per page. Note this is almost always overridden by other modules that can set this from above.
    • defaults to: 10
  • exclude
  • field
    • This field was a parameter on the parent class, but is not required for this class.
  • fields
    • This determines the fields that the module should be configured to show. It is commonly overridden by modules above like FieldPicker and HiddenFieldPicker.
  • link
    • If this option is present, a link will be presented. This is used for things like 'see top values over time' in the individual layers.
  • maxDisplayLength
    • Indicates the maximum number of characters of the field name to show in the main view. Excess characters will be stripped from the middle of the string. The tooltip on the field name will display the full field name value.
    • defaults to: 25
  • maxFields
    • defaults to: 20
  • maxLines
    • This determines the number of lines to display per event. Other modules, such as the MaxLines module, override this property unless you set it explicitly in this module.
    • defaults to: 10
  • minDistinctCount
    • defaults to: 1
  • minFrequency
    • defaults to: 0.2
  • offset
    • This determines the offset to use when retrieving results for the paged module.
    • defaults to: 0

TextSetting

(extends AbstractFormSettingModule) A text input field that passes its contents down to its children as part of the settings map.

required params

  • elementName
    • This is the name of the input element to be added to the UI.
  • settingName
    • This is the name of the setting to be added to a settings map and passed to a module's children.

optional params

  • label
    • An html label element that can be set for the given input text element.

ViewstateAdapter

(extends Splunk.Module) Injects settingsMap settings contained within a viewstate set into the current module branch

required params

(none)

optional params

  • savedSearch
  • suppressionList
  • viewstateId

XAxisTitleFormatter

(extends BaseChartFormatter) this module contains a text field that you can use to change the title for the x-axis of your chart.

required params

(none)

optional params

  • default
    • Can be used to specify the default value for the module.

YAxisRangeMaximumFormatter

(extends BaseChartFormatter) this module contains a text field that takes an integer, that determines the maximum y-axis value that should be displayed.

required params

(none)

optional params

  • default
    • Specifies the default for the module

YAxisRangeMinimumFormatter

(extends BaseChartFormatter) This module contains a text field that takes an integer, that determines the minimum y-axis value that should be displayed.

required params

(none)

optional params

  • default
    • This specifies the module default.
    • defaults to: ""

YAxisTitleFormatter

(extends BaseChartFormatter) this module contains a text field that you can use to change the title for the y-axis of your chart.

required params

(none)

optional params

  • default
    • Can be used to specify the default value for the module.

Search

DisableRequiredFieldsButton

(extends Splunk.Module) EXPERIMENTAL

required params

(none)

optional params

  • enableFieldDiscoveryControls
    • Enables the ability to use field discovery controls for search acceleration.
    • defaults to: True
  • enabled
    • The intention to add to the Search, for downstream modules.
    • defaults to: True

ExtendedFieldSearch

(extends FieldSearch) The basis for the form elements that add or remove intentions.

required params

  • field
    • Use this to specify a field (such as a sourcetype, clientip, or any other valid field) to scope results.

optional params

  • default
    • This is the default value that will appear in the text field.
  • intention
    • The intention to add to the Search, for downstream mdoules.
  • label
    • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter
  • q
    • DEPRECATED. use the 'default' param instead. If both q and default are specified, the q value will be ignored.
  • replacementMap
    • This is a map to the shortest path to values in an intention that should be replaced with the user added value.

FieldPicker

(extends HiddenFieldPicker) This module launches the field picker, a list of all available fields from which a user can select the fields to display. Descendants of this module that display events and summary information will pick up the field list specified or chosen here.

required params

  • fields
    • This provides a space-separated list of fields that are selected by default when the page loads.

optional params

  • link
    • This enables the display of links such as 'see top values over time' in the individual layers.
  • sidebarDisplay = True | False
    • Indicates if the sidebar is open or closed provided it is available in the layout.
    • defaults to: True
  • strictMode
    • "This indicates whether the list provided in the 'fields' param should be interpreted literally. When set to true, no additional fields are passed along. When set to false, standard fields like _time and _raw are automatically appended to the outgoing 'fields' setting.
    • defaults to: false

FieldSearch

(extends Splunk.Module) Restrict searches to a specific field. Use this module to configure a form search with only one form field. To configure form searches with multiple forms, use ExtendedFieldSearch.

required params

  • field
    • Use this to specify a field (such as a sourcetype, clientip, or any other valid field) to scope results.

optional params

  • default
    • Specify a default value to display when the page loads.
  • label
    • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter.
  • q
    • DEPRECATED. use the 'default' param instead. If both q and default are specified, the q value will be ignored.

HiddenFieldPicker

(extends DispatchingModule) This module implements an invisible control that hardwires which fields the user will see and what order those fields are in. When they are descendants of this module, other modules that display events and summary information will pick up the field list specified or chosen here.

required params

(none)

optional params

  • fields
    • This is a space-separated list of the fields that are displayed with events by default when the page loads.
  • strictMode
    • "This indicates whether the list provided in the 'fields' param should be interpreted literally. When set to true, no additional fields are passed along. When set to false, standard fields like _time and _raw are automatically appended to the outgoing 'fields' setting.
    • defaults to: false

HiddenIntention

(extends Splunk.Module) Deprecated: Adds the given intention to any search it receives from upstream modules. There are several kinds of intentions, 'addterm', 'negateterm', 'stringreplace', and 'plot' are the main ones. A complete reference is beyond the scope of this description but one will hopefully be added to the documentation soon.

required params

  • intention
    • This layers an intention on top of the base search. If no module upstream has specified a base search, the intention will layer on top of 'search *'.

optional params

(none)

HiddenPostProcess

(extends DispatchingModule) Adds a post-process search into the data tree.

required params

  • search
    • Set a post processing query.

optional params

(none)

HiddenSavedSearch

(extends Splunk.Module) Given a saved search name, either finds the last run search for that saved search or runs a new search depending on its configuration.

required params

  • savedSearch
    • This is the name of the saved search to use when looking up a searches from the saved search's history or when dispatching a new search.

optional params

  • useHistory = Auto | None | True | False
    • useHistory defines the savedSearch module's saved search dispatch method. The default useHistory method is Auto, which means that savedSearch first tries to find a previously run job if one exists in the saved search's history. If it can't find a previously run job, savedSearch dispatches a new job based on the saved search and returns that job's sid. If useHistory is set to True, savedSearch looks only for previously run jobs dispatched by the saved search. If useHistory is set to False, savedSearch dispatches a new job based on the saved search and returns that job's sid, regardless of the presence of jobs within the saved search's history.
    • defaults to: Auto

HiddenSearch

(extends Splunk.Module) Runs a search behind the scenes. Passes results on to any children. You must set autoRun to true so that the search actually runs.

required params

(none)

optional params

  • earliest
    • This is used to define a beginning time range. It is expected if 'latest' is also defined. It sets the start point of the time range to search within.
  • latest
    • This is used to define an ending time range. It is expected if 'earliest' is also defined. It sets the ending point of the time range to search within.
  • maxCount
    • Use this when you have a search that never reports more than 10,000 events or results, and you want it to report a higher number. Specifically, this overrides the default value which is specified per generating search command in limits.conf. NOTE: when you're using the 'search' command as your generating command, and the search is being dispatched with status_buckets>=1, the resultCount/eventCount numbers were never bounded to begin with, and this setting will be equally ignored by the API.
  • maxEvents
    • This will set the auto_finalize_ec property in the Splunkd Search API when the search is dispatched. See REST API reference on splunk.com for more details.
  • search
    • The literal search string HiddenSearch passes onto its child modules.

PostProcessBar

(extends FieldSearch) Deprecated: This module lets you add a post-process search on any results you have returned. It doesnt re-run any search, but it will use that search language to do post-processing filtering on the results data.

required params

(none)

optional params

  • default
    • Set a default post processing query to appear in the search bar.
  • field
    • Overwrites default settings for field in the abstract class.
  • label
    • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter.
  • q
    • Deprecated. Use the 'default' param instead. If both 'default' and 'q' are specified, 'q' will be ignored.

PostProcessFilter

(extends FieldSearch) This module lets you add a post-process search on any results you have returned. It doesn't re-run any search, but it will use that search language to do post-processing filtering on the results data.

required params

(none)

optional params

  • beforeLabel
    • Label to display before the searchfilter
    • defaults to: Filter:
  • default
    • Set a default post processing query to appear in the search filter.
  • field
    • Overwrites default settings for field in the abstract class.
  • friendlySearch = True | False
    • If 'True' and the post-process search string does not start with "search" or "|", prefix the search with "search "
    • defaults to: True
  • label
    • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter.
  • prefixSearch
    • String to prefix the post search with. For example "eval _raw=source" to allow user to search source rather than _raw.
  • q
    • DEPRECATED. use the 'default' param instead. If both q and default are specified, the q value will be ignored.

RadioButtonSearch

(extends FieldSearch) This module creates a set of radio buttons with submit and cancel buttons.

required params

  • label
    • This appears next to the radio buttons, as the overall label for the whole control.
  • options
    • This is a list of two items: text and value. "Text" is the text to display next to the radio button. "Value" is the value that is selected upon clicking the radio button. You can optionally add selected to specify which button should be checked upon page load.

optional params

  • default
    • NOT supported. In the 'options' param, if you given an item a 'selected' param with True as the value it will be selected on page load.
  • field
    • When present, this module adds key value searchTerms in the form <field>=<radioButtonValue> to the search. When absent, the module adds just <radioButtonValue> to the search.
  • q
    • NOT supported

SearchBar

(extends FieldSearch) This module creates a search bar with submit and cancel buttons.

required params

(none)

optional params

  • assistantDelay
    • Number of milliseconds to wait after a user keystroke to update the assistant
    • defaults to: 200
  • autoOpenAssistant = true | false
    • Indicates if the search assistant will open automatically when typing in the search bar
    • defaults to: true
  • default
    • Specify a default search to display upon page load.
  • field
    • Overwrites default settings for field in the abstract class.
  • label
    • This sets alternate text to display next to the input field. If it is omitted, the text defaults to the field parameter.
  • q
    • DEPRECATED. use the 'default' param instead. If both q and default are specified, the q value will be ignored.
  • showCommandHelp = true | false
    • Indicates if search command help is shown
  • showCommandHistory = true | false
    • Indicates if search command history is shown
  • showFieldInfo = true | false
    • Indicates if interesting field information should be calculated and shown
  • useAssistant = true | false
    • Indicates if the search assistant is active
  • useAutoFocus
    • Will autofocus the input box so you can type your search keywords without having to position the cursor in the search box.
    • defaults to: False
  • useOwnSubmitButton = True | False
    • defaults to: True
  • useTypeahead = true | false
    • Indicates if typeahead content is rendered inside the search assistant

SimpleDrilldown

(extends Splunk.Module) Provides ability to set custom destinations for clicks on fields in a dashboard or form. Used internally in Simplified xml.

required params

(none)

optional params

  • links
    • JSON object with mapping of redirection urls. If used in advanced xml, an example value would be:
{"field1": "/app/search/flashtimeline?q=$row.field1$", "*": "http://google.com?q=$click.value2$"}.

Clicking on "field1" field would redirect to flashtimeline view, searching for field1 value. Clicking anywhere else would redirect to a Google search.

SubmitButton

(extends Splunk.Module) Creates a submit button that collects changes from its parent modules, and runs them when the user clicks the button.

required params

(none)

optional params

  • allowSoftSubmit = True | False
    • When this is present and set to 'True', any upstream modules can effectively submit the search by calling pushContextToChildren. When this is present and set to 'False' (or omitted) the user has to click the SubmitButton to submit the search.
    • defaults to: False
  • label
    • This is the button label. If the button label is blank, you'll get a small green button in the normal search view. Note that its design may change slightly in different layoutPanels and different views.
  • updatePermalink = True | False
    • When this is present and set to 'True', any search context will be persisted to the URL and the back button will work.
    • defaults to: False
  • visible = True | False
    • Controls visibility of Submit button.
    • defaults to: True

TimeRangePicker

(extends Splunk.Module) This module creates a drop-down menu that users can use to change the timerange. Timerange values and labels are pulled from the configuration in times.conf.

required params

(none)

optional params

  • default
    • When this is set to one of the time range labels in times.conf, the system sets that time range option when the page loads.
  • label
    • Optional label to display above time range picker
  • searchWhenChanged = True | False
    • Launch search whenever the time range is changed.
    • defaults to: True
  • selected
    • DEPRECATED. use 'default' instead. When both default and selected are specified, selected will be ignored.

ViewRedirector

(extends Splunk.Module) This module takes the context and settings information provided by its ancestors, dispatches the search and redirects the user to see that search in the specified view. When ViewRedirector receives a new context, and onContextChange() is called, it WILL REDIRECT to the specified view.

required params

  • viewTarget
    • Set the view that the module should redirect the user's search to.

optional params

  • dispatchBeforeRedirect = True | False
    • This sets whether to dispatch a search before redirecting. When set to True, the system redirects to a 'sid' url. When set to False the system redirects to a 'q' url and the other view then dispatches the search.
    • defaults to: False
  • popup
    • Set as a boolean to determine whether to launch the view in a popup window, or use the same window. If set to a value besides True/False, we assume True and we pass the literal value as the optional arguments to window.open().
    • defaults to: False
  • sendBaseSID = True | False
    • Toggle whether to send a base search ID.
    • defaults to: False
  • uriParam.*
    • Wildcard parameter setting to allow additional URI GET parameters to be specified on redirect. As of this writing short of custom wiring you might be doing in application.js, 'earliest', 'latest' and 'auto_pause' are the only arguments that will have any effect.
    • defaults to: False

ViewRedirectorLink

(extends ViewRedirector) This module puts a link in the view with the given label. When clicked it will take the context information provided by its ancestors, dispatch the search and redirects the user to see that search in the specified view.

required params

  • viewTarget
    • Set the view that the module should redirect the user's search to.

optional params

  • dispatchBeforeRedirect = True | False
    • This sets whether to dispatch a search before redirecting. When set to True, the system redirects to a 'sid' url. When set to False the system redirects to a 'q' url and the other view then dispatches the search.
    • defaults to: False
  • label
    • In link and button modes, this is the label of the link or button. If it is omitted, the link or button label says 'View results.'
  • popup
    • Set as a boolean to determine whether to launch the view in a popup window, or use the same window. If set to a value besides True/False, we assume True and we pass the literal value as the optional arguments to window.open().
    • defaults to: False
  • sendBaseSID = True | False
    • Toggle whether to send a base search ID.
    • defaults to: False
  • uriParam.*
    • Wildcard parameter setting to allow additional URI GET parameters to be specified on redirect. As of this writing short of custom wiring you might be doing in application.js, 'earliest', 'latest' and 'auto_pause' are the only arguments that will have any effect.
    • defaults to: False

Static

GenericHeader

(extends Splunk.Module) This simple module just displays the configured text as a header element on the page.

required params

  • label
    • this is the text of the header

optional params

(none)

NullModule

(extends Splunk.Module) This is just a null module, used when we need a placeholder. Takes up no space and tries to remain inconspicuous.

required params

(none)

optional params

(none)

StaticContentSample

(extends Splunk.Module) This module displays plain text or HTML in a view. Use ServerSideInclude to embed in-line content such as Javascript or CSS.

required params

(none)

optional params

  • text
    • When present, this simple text string is presented.

Switchers

ButtonSwitcher

(extends TabSwitcher) This is a subclass of AbstractSwitcher, and when configured to have N children (and thus N subtrees of descendant modules), it will display the a button for each child. The button style is determined by a class set on the group name. When the user clicks a different button, the corresponding child and its descendant modules will be shown on screen and all other child modules (and descendants thereof) will be hidden.

required params

  • mode = independent | serializeAll
    • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

  • disableOnNull = True | False
    • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
    • defaults to: False
  • hideChildrenOnLoad = True | False
    • Indicates if child modules are hidden via CSS by default
    • defaults to: False
  • selected
    • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

ConditionalSwitcher

(extends TabSwitcher) This is a subclass of AbstractSwitcher. When the given condition is true, it will display the first child tree. When false it will display the second child tree.

required params

  • condition
    • this is the expression (written in Javascript, executed by the module), that will determine which child is present.
  • mode = independent | serializeAll
    • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

  • disableOnNull = True | False
    • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
    • defaults to: False
  • hideChildrenOnLoad = True | False
    • Indicates if child modules are hidden via CSS by default
    • defaults to: False
  • requiresDispatch = False | True
    • if True, the module framework will force a search to be kicked off at that point in the view hierarchy, (unless the search has already been dispatched by an upstream module). This determination is normally made automatically but with ConditionSwitchers you often want to make the conditional determination based on a running job.
    • defaults to: False
  • selected
    • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

LinkSwitcher

(extends TabSwitcher) This is a subclass of AbstractSwitcher, and when configured to have N children (and thus N subtrees of descendant modules), it will display the a link for each child. When the user clicks a different link, the corresponding child and its descendant modules will be shown on screen and all other child modules (and descendants thereof) will be hidden.

required params

  • label
    • This specifies the text that should appear to the left of the links.
  • mode = independent | serializeAll
    • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

  • disableOnNull = True | False
    • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
    • defaults to: False
  • hideChildrenOnLoad = True | False
    • Indicates if child modules are hidden via CSS by default
    • defaults to: False
  • selected
    • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

PulldownSwitcher

(extends AbstractSwitcher) Creates a pull-down menu populated with results from its children. Shows one set of child modules at a time. Children can be serialized -- they pass results on -- or independent.

required params

  • label
    • This specifies the text that should appear to the left of the pulldown.
  • mode = independent | serializeAll
    • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

  • disableOnNull = True | False
    • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
    • defaults to: False
  • hideChildrenOnLoad = True | False
    • Indicates if child modules are hidden via CSS by default
    • defaults to: False
  • selected
    • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

ShowHideHeader

(extends AbstractSwitcher) This is a somewhat restrictive switcher class, in that it should only ever have two children, and the second child tree should be either a null module, or in theory some short text like '(click the link above to show formatting options)'

required params

  • label
    • Specify the text that should appear in the header.
  • mode = independent | serializeAll
    • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

  • disableOnNull = True | False
    • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
    • defaults to: False
  • headerType = primary | secondary
    • This sets whether or not the header should be the large or the smaller version. Currently only the two existing styles are possible.
    • defaults to: primary
  • hideChildrenOnLoad = True | False
    • defaults to: False
  • selected
    • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.

TabSwitcher

(extends AbstractSwitcher) This is a subclass of AbstractSwitcher, and when configured to have N children (and thus N subtrees of descendant modules), it will display the 'group' params of those modules in a set of tabs. Like PulldownSwitcher, this module shows only one child at a time. Displays the results of its child modules in a set of tabs. When the user clicks a different tab, the corresponding child and its descendant modules are shown on screen and all other child modules (and descendants thereof) are hidden.

required params

  • mode = independent | serializeAll
    • The mode can be one of two values: 'independent', and 'serializeAll'. Independent is the most common setting. In independent mode, the module's N subtrees are all distinct and independent child branches. SerializeAll mode lets you switch between different aspects of a single shared search or report. In this mode, the last child is not represented in the switcher's options and the last child tree is always visible.

optional params

  • disableOnNull = True | False
    • When this is present, the module is disabled until it is given an explicit search, or when its search is cancelled.
    • defaults to: False
  • hideChildrenOnLoad = True | False
    • Indicates if child modules are hidden via CSS by default
    • defaults to: False
  • selected
    • This specifies the group of the child that is selected when the page loads. (Group name is the group = name attribute set on the parent module.) When absent, the first child module and its ancestor tree are shown initially.
Last modified on 12 August, 2019
Abbreviations   Environment setup

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters