Splunk® Enterprise

Developing Views and Apps for Splunk Web

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Create a custom user interface

You can create a custom Manager page for modular inputs that gives you more flexibility in the content displayed. The custom page overrides the Splunk Manager page your modular input script defines during introspection. See Define a scheme for introspection for details on how introspection defines a Manager page.

Here are the steps for creating a custom Manager page:

  1. Create a manager.xml file that defines the user interface.
  2. Set sharing for your modular input script so others can access the manager pages.
  3. Restart Splunk instance.

Caution: Creating a custom user interface for modular scripts is an advanced topic. You should have familiarity with the Splunk Enterprise framework and be comfortable editing Splunk Enterprise system files. Modifying existing manager pages or creating new ones affects how users interact with the Splunk server through Splunk Web.

Manager XML files

Splunk Enterprise uses manager XML files in the following manager directory to define the contents of pages in Splunk Manager.

$SPLUNK_HOME/etc/apps/<App>/default/data/ui/manager/<ManagerFile>.xml

The manager pages provides a user interface to create, update, and list Splunk Enterprise resources. For modular inputs, you can create a custom interface for the inputs defined in your script.

The names of the files in the manager directory are not important. Splunk Enterprise searches all files in the directory when building the manager pages for Splunk Web.

In your Splunk Enterprise installation, you can access the Manager page implementations for the default Search app:

$SPLUNK_HOME/etc/apps/search/default/data/ui/manager/*.xml

Manager pages for modular input scripts

To define a custom Manager page for a modular input script, place a manager XML file at the following location:

$SPLUNK_HOME/etc/apps/<myApp>/default/data/ui/manager/<ManagerFile>.xml

Name the manager file anything you like. As described above, Splunk Enterprise checks the contents of the manager directory, searching for XML files in the correct format. Use the name of the modular input script in the name of the manager file.

You can study the contents of existing manager files for data inputs to get some ideas for implementing your own. For example, compare:

$SPLUNK_HOME/etc/apps/search/default/data/ui/manager/data_inputs_script.xml

to the page:

Manager > Data inputs > Script > Add new

Caution: Be careful not to make any changes to existing manager files.

Create and edit manager XML files

When creating a manager XML file, make sure you accurately specify references to your modular inputs and create your widgets correctly. Here are some tips to get you started:

  • In the top-level tag, <endpoint name="...">, make sure name correctly points to the path to the modular input endpoint.
  • For the <breadcrumb> tag, make sure you specify the following:
<parent hidecurrent="False">datainputstats</parent>

Also specify the name of your script for the <name> tag.
  • For <element name="..."> tags, name refers to a field defined for your modular inputs in inputs.conf.
  • For individual elements representing widgets, study the modular input examples, and also the data-inputs manager files for the Splunk Search app.


Manager XML file tags

The following table describes the tags available to create a manager XML file. Not all tags are detailed. For examples of available tags, see the manager files for the default Search app, as described previously.

Tag Description
<endpoint name=path to endpoint> Top-level tag. <header>, <breadcrumb>, and <elements> are child tags to <endpoint>.

name = data/inputs/<scriptName>

The name attribute provides the path to the Splunk endpoint for your script. <scriptName> is the name of your modular input script.

The endpoint path to modular input endpoints are always in the form listed above for name.

<header> Required. Child tag to <endpoint>.

The title Splunk Web displays to access the manager page for your modular input.

<breadcrumb> Recommended. Child tag to <endpoint>

Use this tag to specify breadcrumb links to your manager page.

For modular inputs, you typically specify the following:

<parent hidecurrent="False">datainputstats</parent>
<name>Script name</name>
<elements> Required child tag to <endpoint>.
Optional child tag to <element>.

Tag containing the <element> tags. You can nest <elements> within an <element> tag.

<element> Required. Child tag to <elements>.

Defines the user interface elements for the manager page.

<element> can take the following attributes:

name: For modular inputs, corresponds to a field name listed in inputs.conf. Can also take a value beginning with "spl-ctrl_." In this case, the element is not bound to a field name, but instead serves a cosmetic purpose.
type: Defines the widget to display. See below for widgets available.
label: Text field describing the widget.

<element> can take the following child tags:

<view>
<elements>

The <view> tags has additional child tags that define the widgets and accompanying text in the manager page. See the following section, The element tag, for details on child tags to <element> and <view>.

The Element tag

An <element> defines a widget to use in a manager page. You can nest widgets inside other widgets. The widgets available are in the following widgetsdirectory.

$SPLUNK_HOME/share/splunk/search_mrsparkle/templates/admin/widgets/

Specify a name and a type for the <element>.

<element type="checkbox" name="my_checkbox"> [...]

Add <view name="..."> tags to specify the views in which the <element> should be visible.

  • create: This view creates a new instance of the element.
  • edit: This view edits an existing instance of the element
  • list: The element appears in views that list all elements.

For examples, see the data inputs manager files available in the following search app directory.

$SPLUNK_HOME/etc/apps/search/default/data/ui/manager

Manager page example

Here is an example manager XML file for S3.

$SPLUNK_HOME/etc/apps/s3/default/data/ui/manager/s3.xml


<endpoint name="data/inputs/s3">
  <header>Amazon S3</header>
  <breadcrumb>
    <parent hidecurrent="False">datainputstats</parent>
    <name>S3</name>
  </breadcrumb>
  <elements>
    <element name="sourceFields" type="fieldset">
      <key name="legend">Source</key>
      <view name="list"/>
      <view name="edit"/>
      <view name="create"/>
      <elements>
        <element name="name" label="Resource name">
          <view name="list"/>
          <view name="create"/>
        </element>
        <element name="key_id" type="password" label="Key ID">
          <view name="edit"/>
          <view name="create"/>
          <key name="exampleText">Your Amazon key ID. OZRAA</key>
        </element>
        <element name="secret_key" type="password" label="Secret key">
          <view name="edit"/>
          <view name="create"/>
          <key name="exampleText">Your Amazon secret key.</key>
        </element>
      </elements>
    </element>

    <element name="sourcetypeFields" type="fieldset">
      <view name="list"/>
      <view name="edit"/>
      <view name="create"/>
      <elements>
        <element name="spl-ctrl_sourcetypeSelect" type="select" label="Set the source type">
          <onChange>
            <key name="auto">NONE</key>
            <key name="_action">showonly</key>
            <group_set>
              <group name="sourcetype"/>
              <group name="spl-ctrl_from_list"/>
            </group_set>
            <key name="sourcetype">sourcetype</key>
            <key name="spl-ctrl_from_list">spl-ctrl_from_list</key>
          </onChange>
          <options>
            <opt value="auto" label="Automatic"/>
            <opt value="sourcetype" label="Manual"/>
            <opt value="spl-ctrl_from_list" label="From list"/>
          </options>
          <view name="edit"/>
          <view name="create"/>
          <key name="exampleText">When this is set to automatic, Splunk classifies and 
          		assigns the sourcetype automatically, and gives unknown sourcetypes 
          		placeholder names.</key>
          <key name="processValueEdit">[[ e for e in ['sourcetype'] 
                        if form_defaults.get(e) ][0]]</key>
          <key name="processValueAdd">[[ e for e in ['sourcetype'] 
                        if form_defaults.get(e) ][0]]</key>
        </element>
        <element name="sourcetype" type="textfield" label="Source type">
          <view name="list"/>
          <view name="edit"/>
          <view name="create"/>
          <key name="processValueList">_('Automatic') if (value==None or value=='') else value</key>
          <key name="submitValueAdd">value if 
                        form_data.get('spl-ctrl_sourcetypeSelect')=='sourcetype' 
          		else (form_data.get('spl-ctrl_from_list') 
          		if form_data.get('spl-ctrl_sourcetypeSelect')=='spl-ctrl_from_list' 
                        else '')</key>
          <key name="submitValueEdit">value if 
                        form_data.get('spl-ctrl_sourcetypeSelect')=='sourcetype' 
            	        else (form_data.get('spl-ctrl_from_list') 
            	        if form_data.get('spl-ctrl_sourcetypeSelect')=='spl-ctrl_from_list' 
                        else '')</key>
          <key name="labelList">Source type</key>
        </element>
        <element name="spl-ctrl_from_list" type="select" label="Select source type from list">
          <view name="edit"/>
          <view name="create"/>
          <key name="exampleText">Splunk classifies all common data types automatically, 
            	but if you're looking for something specific, you can find more source types 
	    	in the <![CDATA[<a href="../../../apps/remote">Splunk Apps apps browser</a>]]> 
            	or online at <![CDATA[<a href="http://splunkbase.splunk.com/" 
		target="_blank">http://splunkbase.splunk.com</a>]]>.</key>
          <key name="requiredIfVisible" />
          <key name="dynamicOptions" type="dict">
            <key name="prefixOptions" type="list">
              <item type="list">
                <item></item>
                <item>Choose...</item>
              </item>
            </key>
            <key name="keyName">title</key>
            <key name="keyValue">title</key>
            <key name="splunkSource">/saved/sourcetypes</key>
            <key name="splunkSourceParams" type="dict">
              <key name="count">-1</key>
              <key name="search">'pulldown_type=true'</key>
            </key>
          </key>
        </element>
      </elements>
      <key name="legend">Source type</key>
      <key name="helpText">Tell Splunk what kind of data this is so you can group it with 
                        other data of the same type when you search. Splunk does this 
                        automatically, but you can specify what you want if Splunk gets it 
                        wrong.</key>
    </element>

    <element name="spl-ctrl_EnableAdvanced" type="checkbox" 
	     label="More settings" class="spl-mgr-advanced-switch">
      <view name="edit"/>
      <view name="create"/>
      <onChange>
        <key name="_action">showonly</key>
        <key name="0">NONE</key>
        <key name="1">ALL</key>
        <group_set>
          <group name="advanced"/>
        </group_set>
      </onChange>
    </element>
    <element name="advanced" type="fieldset" class="spl-mgr-advanced-options">
      <view name="edit"/>
      <view name="create"/>
      <elements>
        <element name="hostFields" type="fieldset">
          <key name="legend">Host</key>
          <view name="list"/>
          <view name="edit"/>
          <view name="create"/>
          <elements>
            <element name="host" type="textfield" label="Host field value">
              <view name="edit"/>
              <view name="create"/>
            </element>
          </elements>
        </element>  
        <element name="indexField" type="fieldset">
          <key name="legend">Index</key>
          <key name="helpText">Set the destination index for this source.</key>
          <view name="list"/>
          <view name="edit"/>
          <view name="create"/>
          <elements>
            <element name="index" type="select" label="Index">
              <view name="list"/>
              <view name="edit"/>
              <view name="create"/>
              <key name="dynamicOptions" type="dict">
                <key name="keyName">title</key>
                <key name="keyValue">title</key>
                <key name="splunkSource">/data/indexes</key>
                <key name="splunkSourceParams" type="dict">
                  <key name="search">'isInternal=false disabled=false'</key>
                  <key name="count">-1</key>
                </key>
              </key>
            </element>
          </elements>
        </element>
      </elements>
    </element>
    <element name="eai:acl.app" label="App">
      <view name="list"/>
      <key name="processValueList">entity['eai:acl']['app'] or ""</key>
    </element>
    
  </elements>
</endpoint>


Set sharing for your modular input script

You need to share your modular inputs script before Splunk Manager pages are visible to other users. Typically, you share your script so all users can access it.

To share your modular input script, create the following default.meta file:

$SPLUNK_HOME/etc/apps/<myApp>/metadata/default.meta

[]
export = system

Restart Your Splunk Instance

After creating or updating manager pages for modular inputs, and also updating sharing for your modular inputs script, restart your Splunk instance for the changes to take effect.

Last modified on 24 August, 2018
Modular inputs configuration   Developer tools for modular inputs

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters