Splunk® Enterprise

Developing Views and Apps for Splunk Web

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Lister modules

Important notice: The Advanced XML dashboard framework is officially deprecated. For more information, see Advanced XML Deprecation.


Use lister modules to add lists to your dashboards. There are two types of listers:

  • Entity listers Entity listers build lists from REST endpoints. Use entity listers to create lists of users, saved searches or other objects within Splunk Enterprise.
  • Search listers Search listers build lists from searches run in the module. All search listers essentially work the same -- they only differ cosmetically. If prefer to have radio buttons, use SearchRadioLister.

Add chrome and nav

First add the chrome and nav for your view:

<view template="dashboard.html">
  <label>Lister intro</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>
  . . .
</view>

SearchSelectLister

This basic example uses a SearchSelectLister to generate the top ten sourcetypes with the most data indexed in the last hour. When a user clicks on a sourcetype in the list, they are redirected to the timeline view, which runs a search for just the events from that sourcetype over the past two hours.

  . . .
  <module name="HiddenSearch" layoutPanel="panel_row2_col1"
        group="Drilldowns - 1"  autoRun="True">
    <param name="search">*</param>
    <param name="earliest">-2h</param>
    
    <module name="SearchSelectLister">
      <param name="settingToCreate">series_setting</param>
      <param name="search">
        index=_internal metrics 
        NOT source="*web_service.log" NOT source="*access.log" NOT source="*/searches.log"
        NOT source="*intentions.log" NOT source="*splunkd.log" 
        group="per_sourcetype_thruput"
        | chart sum(kb) over series | sort -sum(kb) | head 10 | sort series
      </param>
      <param name="earliest">-1h</param>
      <param name="label">source</param>
      <param name="searchWhenChanged">True</param>
      <param name="searchFieldsToDisplay">
        <list>
          <param name="label">series</param>
          <param name="value">series</param>
        </list>
      </param>
      
      <module name="ConvertToIntention">
        <param name="settingToConvert">series_setting</param>
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
            <param name="index=_internal sourcetype">$target$</param>
          </param>
        </param>
        
        <module name="SubmitButton">
          <param name="label">Search</param>
          
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
          
        </module><!-- End SubmitButton -->
      </module><!-- End ConvertToIntention -->
    </module><!-- End SearchSelectLister -->
  </module><!-- End HiddenSearch -->

SearchLinkLister

This example is the same as the previous, except it uses SearchLinkLister instead of SearchSelectLister.

  . . .
  <module name="HiddenSearch" layoutPanel="panel_row2_col2"
          group="Drilldowns - 2" >
    <param name="search">*</param>
    <param name="earliest">-2h</param>
    
    <module name="SearchLinkLister">
      <param name="settingToCreate">series_setting</param>
      <param name="search">
        index=_internal metrics 
        NOT source="*web_service.log" NOT source="*access.log" NOT source="*/searches.log"
        NOT source="*intentions.log" NOT source="*splunkd.log" 
        group="per_sourcetype_thruput"
        | chart sum(kb) over series | sort -sum(kb) | head 10 | sort series
      </param>
      <param name="earliest">-1h</param>
      <param name="searchWhenChanged">True</param>
      <param name="searchFieldsToDisplay">
        <list>
          <param name="label">series</param>
          <param name="value">series</param>
        </list>
      </param>
      
      <module name="ConvertToIntention">
        <param name="settingToConvert">series_setting</param>
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
            <param name="index=_internal sourcetype">$target$</param>
          </param>
        </param>
        
        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
        </module>
        
      </module><!-- End ConvertToIntention -->
    </module><!-- End SearchLinkLister -->
  </module><!-- End HiddenSearch -->
  . . .

EntityLinkLister

This example shows how to use an EntityLinkLister module. This module lets you access configurations and knowledge objects from REST endpoints within Splunk Enterprise. The below example returns a list of saved searches that are available (using Splunk's permissions system) to the current Splunk user and app. Clicking on the searches in the list runs the search in the default search (timeline) view.

<view template="dashboard.html">
  <label>Lister intro</label>
  <module name="AccountBar" layoutPanel="appHeader"/>
  <module name="AppBar" layoutPanel="navigationHeader"/>
  
  <module name="Message" layoutPanel="messaging">
    <param name="filter">*</param>
    <param name="clearOnJobDispatch">False</param>
    <param name="maxSize">1</param>
  </module>
  
  <module name="TitleBar" layoutPanel="viewHeader">
    <param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="EntityLinkLister" layoutPanel="panel_row1_col1">
    <param name="entityPath">saved/searches</param>
    <param name="settingToCreate">savedSearch</param>

    <param name="entityFieldsToDisplay">
      <list>
        <param name="label">name</param>
        <param name="value">name</param>
      </list>
    </param>

    <module name="HiddenSearch" >
      <param name="search">|savedsearch "$savedSearch$"</param>
    
      <module name="ConvertToIntention">
        <param name="intention">
          <param name="name">stringreplace</param>
            <param name="arg">
              <param name="savedSearch">
                <param name="fillOnEmpty">True</param>
                <param name="value">$savedSearch$</param>
              </param>
            </param>
          </param>
        
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
          </module>
          
      </module> <!-- End ConvertToIntention -->
    </module> <!-- End HiddenSearch -->
  </module> <!-- End EntityLinkLister -->
</view>
Last modified on 13 August, 2019
Switcher modules   Use lookups with a view

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters