This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Every element you see on a page in Splunk Web is a module, from the search bar to the results. Even some elements you don't see -- like searches running in the background to populate results modules -- are modules as well.
Configure views by choosing which modules you want to display, and linking them together. There are a number of modules you can use to configure your views. Use this page to get a general sense for how modules fit in a page. This is a best practice list of module categorization and configuration. For a more thorough list of all modules, see the Module reference, or navigate your browser tohttp://<splunkserver>:<splunkwebport>/modules
When you build a view from sets of modules, you can make either a search view or a dashboard. Search views are made from sets of search modules (see below). Your search is passed through any number of specified modules and results are displayed via one or more of the results modules (see below). Dashboards display results from a variety of different searches, mostly via the results modules. You can add other modules to search and dashboard views, as you see fit.
Modules in a view fit together in a tree structure. So if you're building a search view, search information gets passed from a module to its children. Each child module modifies the search in some way, until the search returns events, or is transformed into results. If you're building a dashboard view, each panel will likely be built from a separate search. You'll have more, but shorter, trees of modules in a dashboard view than a search view.
Some modules take settings called params. For example:
<module name="Message"> <param name="filter">*</param>
Params control module-specific configurations, such as the size of a graph or chart, or the number of events to display per page. Params are noted on the module reference page, or in the module's conf file.
Some params are required, while some are optional. Some params have default settings -- these are noted on the reference page. If a param is required, then you must include the param in that module. If a param is optional, you may include it with the module, but do not need to. If there is a default noted, that is the default value for that param, unless you set it. Params are noted with each module's conf file, in the module's directory in $SPLUNK_HOME/share/splunk/search_mrsparkle/modules.
Specify where your module should appear on the page by setting the layoutPanel attribute on the module tag. For example:
<module name="SearchBar" layoutPanel="mainSearchControls">
Note:
layoutPanel. All other modules in the tree that don't have layoutPanel set inherit it from their parent. As you move through the page, into different layout panels, you must set the layout panel for the first module in that panel.