Module reference

Module reference

For a general description of how to use modules, see the Module Overview.

Here you'll find all the modules you will need to build a view. Modules are organized into functional categories.

You can load dynamic descriptions of all the modules in your Splunk instance by hitting the following URI:

http://localhost:8000/en-US/modules

Note: Replace host and port with your installation specifics.

Nav

There are four basic modules for page layout and general page properties.

AccountBar

The bar at the top of most views, that contains the logo, says logged in as <user>, and contains the logout and admin links.

AppBar

This is the bar second from the top in most views. It contains the top level view categories (by default Dashboards Views Saved Searches), and the auxiliary links section (help | preferences | about)

TitleBar

Control menu/actions menu.

This module is persistent, and contains information such as the name of the dashboard, the name of the view, or the name of the view and associated saved search. The titlebar functions as a place for contextual actions, like saving a new search that has been run after loading a view.

Params

Required

None.

Optional

• showActionsMenu = True | False
  • Specifies whether or not to show the actions menu.
  • Defaults to true.

Messaging

This module can display all messages to the user, or can be configured to display just a certain class of messages. Messages might come from searches, alerts, errors, information about indexing status, etc. Each view should have at least one message module to receives messages from the back-end.

Message

This module can display all messages to the user, or can be configured to display just a certain class of messages. Messages might come from searches, from alerts firing, from misconfiguration on the backend, from information about indexing status etc.

The simplest configuration is a single Message instance with filter set to '*' -- meaning it will display all the messages broadcast. However, you can use multiple Message modules with different 'filter' params displayed in separate layout panels throughout a view.

Messages are passed with a defined class, such as splunk.search.error. So if you have two Message instances, one configured with a filter of '*', and another with a filter of splunk.search, the latter will receive the splunk.search.error events, and the "*" instance will not. However when an unexpected message is passed down with the class of splunk.indexing.warn, the splunk.search instance will not display it but the the '*' instance will.

Params

Required

• filter = string
  • Required.
  • Specify a filter to listen to only certain classes of messages.
  • Leave blank to listen to all the messages broadcast.

• clearOnJobDispatch = True | False
  • Required.
  • Set to True to clear messages whenever a new search is dispatched.

• maxSize = integer
  • Required.
  • Set the number of messages to display before throwing away the oldest ones.

Optional

• default = string
  • Not required.
  • Specify a default message to display.

Example

<module name="Message">
  <param name="filter">*</param>
  <param name="clearOnJobDispatch">False</param>
  <param name="maxSize">1</param>
</module>

Search

Modules for search actions.

Descendant modules pick up information passed along by their parents, so each descendant search module adds its own options to the original search. Refine any search by including child modules that add filters, such as fields or time ranges.

SearchBar

The SearchBar module creates a search bar with cancel and submit buttons.

Params

Required

None.

Optional

• q = search string
  • Specify a default search to prepopulate the search box.

• useAssistant = true | false
  • Indicates whether the search assistant is enabled.

• useTypeahead = true | false
  • Indicates whether typeahead is enabled on index tokens.

Example

<module name="SearchBar">
  <param name="q">host=*</param>
  <param name="autoRun">True</param>

This example prepopulates the search bar and automatically dispatches the search:

host=*

FieldSearch

Restrict searches to a specific field. Use this module to configure a form search with only one form field. To configure form searches with multiple forms, use ExtendedFieldSearch (below).

Params

Required

• field = field
  • Specify a field (such as sourcetype, clientip, or any other valid field) to scope results.

Optional

• q = search string
  • Specify a default search to display upon page load.

• label = string
  • Set alternate text to display next to the input field.
  • If omitted, defaults to the field param.

Example

<module name="FieldSearch">
  <param name="field">sourcetype</param>

ExtendedFieldSearch

Restrict searches to a specific field. Use this module to configure a form search with multiple form fields. To configure form searches with a single field, use FieldSearch (above).

Params

Required

• field = string
  • Specify a field (such as sourcetype, clientip, or any other valid field) to scope results.

Optional

• intention = intention
  • The intention to add to a SearchContext object.

• replacementMap = string
  • A map to the shortest path to values in an intention that should be replaced with the user added value.

• default = string
  • This is the default value that will appear in the text field.

• label = string
  • Set alternate text to display next to the input field. If omitted, defaults to the field param.

Example

 <module name="HiddenSearch">
   <param name="search">sourcetype=$st$</param>
   <module name="ExtendedFieldSearch">
     <param name="intention">
       <param name="name">stringreplace</param>
       <param name="arg">
           <param name="st">
               <param name="default">apache_error</param>
           </param>
       </param>
     </param>
     <param name="replacementMap">
       <param name="arg">
         <param name="st">
             <param name="value"></param>
         </param>
       </param>
     </param>
     <param name="field">Sourcetype</param>
   </module>
 </module>

ViewRedirector

This module takes the context and settings information provided by its ancestors, dispatches the search and redirects the user to see that search in the specified view. When ViewRedirector receives a new context, and onContextChange() is called, it WILL REDIRECT to the specified view.

params

Required

• viewTarget = view
  • Set the view that the module should redirect the user's search to.

Optional

• mode = automatic | link | button
  • In automatic mode there is nothing visible and any context change will trigger redirect. In link and button modes the user must click the module for the redirect to occur.
  • Defaults to automatic.

• label = label
  • In link and button modes, this is the label of the link or button.
  • Defaults to Go.

• popup = true | false
  • Set whether to launch the view in a popup window, or use the same window.
  • Set to any value other than true or false to set window preferences.
  • Defaults to false.

• linkType = sid | permalink
  • Specify whether the link is to a search ID or a permalink.
  • Defaults to sid.

• sendBaseSID = true | false
  • Toggle whether to send a base search ID.
  • Defaults to false.

• dispatchBeforeRedirect = true | false
  • Set whether to dispatch a search before redirecting.
  • Defaults to false.

Example

 
<module name="ViewRedirector">
  <param name="viewTarget">flashtimeline</param>
</module>

ViewRedirectorLink

This module puts a link in the view with the given label. When clicked it will take the context information provided by its ancestors, dispatch the search and redirects the user to see that search in the specified view.

Params

ViewRedirectorLink inherits all the params from ViewRedirector (above).

Required

None.

Optional

• label = link label
  • In link and button modes, this is the label of the link or button.
  • If it is omitted, the link or button label says 'View results.'

HiddenSearch

Runs a search behind the scenes. Passes results on to any children.

Note:

• HiddenSearch is necessary for many of the following modules, such as LinkList, TabSwitcher, etc. Pretty much any module that relies on displaying search results must contain a HiddenSearch as a parent.
• You must set autoRun = true so that the search actually runs.

Params

Required

• search = search string
  • The literal search string HiddenSearch passes on to its children.
  • Note: When constructing your HiddenSearch, time modifiers should be set in earliest and latest, not in the search itself.

Optional

• earliest = time string
  • Used to define a beginning time range. Sets the start point of the time range to search within.
  • Expected if 'latest' is also defined.

• latest = time string
  • Used to define an ending time range. Sets the ending point of the time range to search within.
  • Expected if 'earliest' is also defined.

Note: Read more about configuring valid time strings

Example

<module name="HiddenSearch">
  <param name="searchClass">search</param>
  <param name="searchObject">| metadata type=sources | sort -totalCount</param>

HiddenSavedSearch

Loads results from a saved search, configured in savedsearches.conf. Either runs the saved search upon load or displays results from the last scheduled run of the saved search.

Note: You must schedule your saved search to run

Params

Required

• savedSearch = saved search name
  • The name of the saved search to use when looking up a searches from the saved search's history or when dispatching a new search.

Optional

• useHistory = None | True | False
  • Set whether to dispatch a new saved search, or look for results from a previously dispatched saved search.
  • Set to None uses a previously run scheduled search if one is available. Otherwise it will dispatch a new search and return the results.
  • If useHistory is True, HiddenSavedSearch will only look for previously run scheduled searches. If your search is not scheduled, this will result in an error.
  • If set to False, the module will dispatch a new search based on the saved search regardless of the presence of previously run searches within a saved search's history.
  • Defaults to None.

Example

This example uses a saved search named "All local sources."

<module name="HiddenSavedSearch" autoRun="true">
  <param name="savedSearch">All local sources</param>

HiddenIntention

Adds an intention to any search it receives.

Params

Required

• intention = string
  • Layers an intention on top of the base search (if one exists).

Optional

None.

Example

HiddenFieldPicker

This module implements an invisible control that hardwires which fields the user will see and what order those fields are in. When they are descendants of this module, other modules that display events and summary information will pick up the field list specified here.

Params

Required

• fields = list of fields
  • A space-separated list of the fields that should be displayed with events by default when the page loads.

Optional

None.

Example

<module name="HiddenFieldPicker">
  <param name="fields">clientip host uri</param>

RadioButtonSearch

This module creates a set of radio buttons with submit and cancel buttons.

Note: Requires HiddenSearch as a parent (or ancestor).

Params

Required

• label = string
  • Add a label to display next to the radio buttons.

• options = list
  • A list of two items: text and value.
  • text = the text to display next to the radio button.
  • value = the value that is selected upon clicking the radio button.
  • Optionally add selected to specify which button should be checked upon page load.

Optional

• field = radio button value
  • When present, the module will add key value searchTerms in the form <field>=<radioButtonValue>. When absent, the module will just add <radioButtonValue> to the search.

Example

<module name="RadioButtonSearchField">
  <param name="options">
    <list>
      <param name="selected">true</param>
      <param name="value">save</param>
      <param name="text">Saves</param>
    </list>
    <list>
      <param name="value">edit</param>
      <param name="text">Edits</param>
    </list>
    <list>
      <param name="value">upload</param>
      <param name="text">Uploads</param>
    </list>
    <list>
      <param name="value">view</param>
      <param name="text">Views</param>
    </list>
    <list>
      <param name="value"></param>
      <param name="text">All</param>
    </list>
  </param>
<param name="label">Show only</param>

TimeRangePicker

This module creates a drop-down menu that users can use to change the timerange. Timerange values and labels are pulled from the configuration in times.conf.

Params

Required

None.

Optional

• selected = time range label
  • When set to one of the time range labels in times.conf, this will result in that time range option being set when the page loads.
  • Sticky but not persistable.

Optional

• searchWhenChanged = True | False
  • Launch search whenever the time range is changed.

• label = string

required = False label = Optional label to display above time range picker.

Example

<module name="TimeRangePicker">
  <param name="selected">This month</param>

FieldPicker

This module launches the field picker, a list of all available fields from which a user can select the fields to display. Descendants of this module that display events and summary information will pick up the field list specified or chosen here.

Params

Required

• fields = list of fields
  • A space separated list of the fields to be selected by default when the page loads.
  • Sticky and persistable.

Optional

None.

Example

<module name="FieldPicker">
  <param name="fields">host sourcetype source</param>

Switchers

Switcher modules let you switch between options, such as results displays or other groups of child modules, without switching views. Only one group of child modules is shown at a time. Switcher modules are buttons, pulldown menus, links and tabs.

All switcher modules share these params:

Required

• mode = independent | serializeAll
  • Mode can be one of two values currently, 'independent', and 'serializeAll'. ** independent is the most common setting. In independent mode the N subtrees of the module are all distinct and independent child branches.
  • serializeAll lets you switch between different aspects of a single shared search or report. In this mode the last child is a) not represented in the switcher's options and b) the last child tree is always visible.

Optional

• selected = group name
  • Specifies the group of the child that is to be selected when the page loads. (Group name is the group = name attribute set on the parent module.)
  • When absent, the first child module and its ancestor tree will be shown initially.

PulldownSwitcher

Creates a pull-down menu populated with results from its children. Shows one set of child modules at a time. Children can be serialized -- they pass results on -- or independent.

Params

Default switcher params noted above.

Required

• label = string
  • Specify a text label that should appear to the left of the pull-down.

Example

<module name="PulldownSwitcher">
  <param name="mode">independent</param>
  <param name="selected">Messages per minute last hour</param>
  <param name="label">Show: </param>

TabSwitcher

Like PulldownSwitcher, this module shows only one child at a time. Displays the results of its child modules in a set of tabs. When the user clicks a different tab, the corresponding child and its descendant modules are shown on screen and all other child modules (and descendants thereof) are hidden.

Params

Default switcher params noted above.

Example

<module name="TabSwitcher">
  <param name="mode">independent</param>

ButtonSwitcher

Switches between displays based on clicking an icon. Mainly used for switching between viewing results in events view or table view. The button style is determined by a class set in the params.

When the user clicks a different button, the corresponding child and its descendant modules will be shown on screen and all other child modules (and descendants thereof) will be hidden.

Params

Default switcher params noted above.

LinkSwitcher

When the user clicks a different link, the corresponding child and its descendant modules will be shown on screen and all other child modules (and descendants thereof) will be hidden.

Params

Default switcher params noted above.

Required

• label = string
  • This specifies the text label that should appear to the left of the link.

Example

<module name="LinkSwitcher">
   <param name="mode">serializeAll</param>
   <param name="label">Format options:</param>

Results

To pass a search on as results, format your results modules as children of previous search modules.

GenericHeader

Displays a header. Frequently used in combination with switcher modules (eg TabSwitcher and PulldownSwitcher) to display a label for children modules.

Params

Required

• switcherTitle = string
  • Title to display.
  • Only necessary if this module is the first child of a switcher module (pulldownSwitcher or tabSwitcher).

• label = string
  • Specifies the text label that should appear to the left of the pulldown.

Optional

None.

Example

<module name="GenericHeader">
  <param name="switcherTitle">General Options</param>
  <param name="label">General Options</param>

ResultsHeader

The ResultsHeader module creates a label for your results. Use this module to create headers for other modules (these should be children of the ResultsHeader). This module displays a header, for example 23,420 events. Generally placed above a FlashTimeline or above a set of modules implementing paging controls.

Params

Required

• entityLabel = string
  • Label your units.
  • Generally, can be set to events, or results.
  • However, you can set it to anything. Just make sure it makes sense for your search.

• entityName = events | results | scanned
  • Specify where to get the number to display.

Optional

• prefix = string
  • When present, the value of this key will be displayed before the number displayed.
  • For instance you can set it to 'Found', for the overall display to come out as 'Found 23,420 events'

• link = link to a view
  • When present, presents a link to a view.
  • Upon clicking, passes that view the ' | top <field>' search that would generate the corresponding chart.
  • Values are a dictionary of keys: 'viewTarget', 'label'

This is a dictionary of config values that specifies behavior for a link that the module can show, that sends the user to a different view where this search result will be displayed instead. Contains a 'label' key that is the text of the link, and a 'viewTarget' key that is the view to which the user should be sent. And also a 'popup' key that when True will make the link open a new popup window.

Example

<module name="ResultsHeader">
  <param name="entityName">events</param>
  <param name="prefix">Timeline</param>
  <param name="entityLabel">Events</param>

<module name="ResultsHeader">
  <param name="entityLabel">Events</param>
  <param name="link">
    <param name="popup">True</param>
    <param name="viewTarget">report_wizard</param>
    <param name="label">Report on results</param>
  </param>
  <param name="prefix">Timeline</param>
  <param name="entityName">events</param>

EventsViewer

The EventsViewer module displays events resulting from the search that its ancestor modules combined to specify. This module is very similar to SimpleEventsViewer, and one of these two modules will in the future be folded into the other.

Params

Required

None.

Optional

• negateModifier = shiftKey | altKey | ctrlKey | metaKey
  • Sets the key to hold down on the keyboard that, while clicking, removes a term from the search.
  • Defaults to altKey.

• scrollerEnable = True | False
  • Enables the scroller.

• scrollerMaxHeight = integer
  • When scrollerEnable is True, this controls the scroller maximum pixel height constraint.
  • Defaults to 10000.

• scrollerMinHeight = integer
  • When scrollerEnable is True, this controls the scroller minumum pixel height constraint.
  • Defaults to 0.

• displayRowNumbers = true | false
  • This determines if row numbers are displayed or not.
  • Defaults to true.

Example

<module name="EventsViewer"/>

SingleValue

This module waits for the search to complete and then renders a single field from the first row of the results.

Params

Required

None.

Optional

• label = label
  • Label to display alongside the result count.

• labelPosition = before | after
  • Position the label before or after the displayed field.
  • Defaults to after.

• beforeLabel = label
  • Label to display before the result

• afterLabel = label
  • Label to display after the result

• field = field
  • Field to display.
  • Defaults to first field returned

• additionalClass = css class
  • Optionally add a CSS class to style your button.
  • Style the class in application.css.

• classField = field
  • Adds the value of the classField of the first result as an additional css class to the result container.
  • Pre-defined classes include 'severe', 'elevated', 'low', and 'None' (default).

• linkSearch = search terms
  • Specify a valid complete search to turn the result into a clickable link.

• linkView = view
  • Specify which view to display linkSearch in.
  • Defaults to dashboard.

• linkFields = fields
  • Specify whether to just link the result, or include labels.
  • To link the result and both labels, specify "result,beforeLabel,afterLabel"
  • Defaults to results.

• format = number | decimal | percent | none
  • Specifies the data formatting method to apply to the value.
  • Locale aware.
  • Defaults to none.

SimpleFieldViewer

This module shows the top N values for a given field, along with the number of events that have the given value.

Params

Required

• field = field
  • Specify which field to display the top values for.

• count = integer
  • This is the number of most common values that the module should display.

Optional

• link = link to a view
  • When present, presents a link to a view.
  • Upon clicking, passes that view the ' | top <field>' search that would generate the corresponding chart.
  • Values are a dictionary of keys: 'view', 'label'
  • This dictionary of keys specifies behavior for a link that the module can show, that sends the user to a different view where this search result will be displayed instead. Contains a 'label' key that is the text of the link, and a 'viewTarget' key that is the view to which the user should be sent. And also a 'popup' key that when True will make the link open a new popup window.

Example

<module name="SimpleFieldViewer">
  <param name="count">5</param>
  <param name="field">twikiuser</param>
</module>

MultiFieldViewer

Top x values of multiple fields.

Shows a set of field names, with distinct counts next to them in parentheses. When the user clicks on the field names, a popup layer opens, showing the top 10 values for that field. Clicking then on one of those values will add the proper field=value term and re run the search.

Params

Required

None.

Optional

• label = string
  • Optionally add a label to display next to the field viewer.

• field = field
  • field was a parameter on the parent class, but is not required for this class.

• count = integer
  • This is the number of most common values that the module should display.

• link = link to a view
  • When present, presents a link to a view.
  • Upon clicking, passes that view the ' | top <field>' search that would generate the corresponding chart.
  • Values are a dictionary of keys: 'view', 'label'
    • This is a dictionary of config values that specifies behavior for a link that the module can show, that sends the user to a different view where this search result will be displayed instead. Contains a 'label' key that is the text of the link, and a 'view' key that is the view to which the user should be sent. And also a 'popup' key that when True will make the link open a new popup window.

Example

<module name="MultiFieldViewer">
  <param name="count">10</param>
  <param name="link">
    <param name="view">report_wizard</param>
    <param name="label">Report on this field</param>
  </param>

LinkList

Renders a list of links. Link lists are generally a combination of a primary field (labelField) and a second, descriptive field (valueField). Optionally specify display params.

Note: Requires HiddenSearch as a parent.

Params

Required

• labelField = field
  • Set a field name to display in the link list. Displays the value of the field.

• valueField = field
  • Set a field value to display in the list. This is often a count or numeric value relevant to the "label" portion of the link list.

Optional

• initialSortDir = desc | asc
  • The direction to sort the results based on the initialSort field.
  • Defaults to asc.

• initialSort = a field
  • The field in the result set to sort on when the link list is first rendered.

• labelFieldSearch = search
  • The search string to generate when the user clicks on the label field. Requires labelFieldTarget to be defined to a valid view. The value of the label field is automatically added to the search.

• labelFieldTarget = view
  • The view to target if the label field is setup to generate a clickable link that dispatches a search.

Example

<module name="LinkList">
   <param name="initialSortDir">desc</param>
   <param name="labelFieldSearch">*</param>
   <param name="valueField">totalCount</param>
   <param name="labelField">source</param>
   <param name="labelFieldTarget">searchview</param>
   <param name="initialSort">totalCount</param>

Chart controls

If you want to chart your results, use these modules.

FlashChart

This module contains a Flash object that is capable of charting almost any search results that the Splunk backend can generate.

The FlashChart module displays your results in a chart.

Params

Required

• width = size
  • Specify the width of the module.
  • Can be a percentage or a number of pixels.
  • Typically this is set to "100%" meaning it should fill all available space. ** It can also be set to a number of pixels by using a value like "500px".

• height = size
  • Specify the height of the module.
  • Can be a percentage or a number of pixels.

Optional

• swfFile = path
  • Set a path to a swf.
  • Path must be relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash.
  • The swf must conform to a very strict and thus-far undocumented spec that is not for external consumption.
  • Defaults to "charting/bin/charting.swf".

Example

<module name="FlashChart">
  <param name="height">300px</param>
  <param name="width">100%</param>

FlashTimeline

This module contains a Flash object that is capable of displaying a chart of number of events over time. This chart will be updated asynchronously while the search is running.

The FlashTimeline module renders the timeline.

Params

Required

• width = size
  • Specify the width of the module.
  • Can be a percentage or a number of pixels.
  • Typically this is set to "100%" meaning it should fill all available space. ** It can also be set to a number of pixels by using a value like "500px".

• height = size
  • Specify the height of the module.
  • Can be a percentage or a number of pixels.

Optional

• swfFile = path
  • Set a path to a swf.
  • Path must be relative to $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/flash.
  • The swf must conform to a very strict and thus-far undocumented spec that is not for external consumption.
  • Defaults to "charting/bin/timeline.swf".

• statusBuckets = integer
  • default = 300
  • When present, this will override the default of 300. This is the maximum number of time buckets that the backend is allowed to persist while it is running the search. Lower values will result in slightly faster search times, but at a price of displaying less information to the user.

Example

<module name="FlashTimeline">
  <param name="height">180px</param>
  <param name="width">100%</param>

SimpleResultsTable

Waits for the search to complete, and then renders its final results in a tabular format.

Params

Required

None.

Optional

• entityName = events | results | auto
  • This determines whether the viewer should build table row/columns based on events, results or auto detect.
  • Defaults to auto

• displayRowNumbers = true | false
  • If true then row numbers are displayed alongside each row in the table
  • Defaults to on.

• displayMenu = true | false
  • Control whether table cells have a dropdown menu with search suggestions when clicked on.
  • Defaults to false.

• dataOverlayMode = heatmap | highlow | none
  • Indicates the default data overlay mode with values of heatmap, highlow and none.
  • Defaults to none.

Example

<module name="SimpleResultsTable"/>

HiddenChartFormatter

This module contains a pulldown that you can use to change between 'column', 'line', 'area' and various other chart types.

Params

Required

None.

Optional

• chart = area | bar | column | line | pie | scatter
  • This can be used to change the overall type of chart you wish to generate.

• chart.stackMode = default | stacked | stacked100
  • This can be used to make bar and area charts display in 'stacked' mode.

• chart.nullValueMode = connect | gaps | zero
  • This can be used to that control how 'line' and 'area' charts should behave when there are gaps in the data.
  • You can either treat null values as '0', leave an explicit gap, or interpolate between the values.

• secondaryAxis.scale = 'log' | (empty string)
  • This can be used to make the y-axis scale logarithmically or linearly.

• legend.placement = right | bottom | left | top | none
  • This can be used to change where the chart's legend is displayed relative to the chart itself

Example

<module name="HiddenChartFormatter">
  <param name="chart">line</param>
  <param name="chartTitle">CPU performance in the past 24 hours</param>

Page Controls

Special settings for formatting events on the page.

Count

Events per page.

Note: When used in conjunction with a Paginator module, the Paginator should be a descendent of the Count module, not an ancestor.

Params

Required

• options = list
  • A list of two items: text and value; and one optional key selected.
  • Text = the text to display.
  • Value = the number of lines, an integer.
  • Set selected=true for a list item that item becomes the default setting for a view.

Optional

None.

Example

<module name="Count">
  <param name="switcherTitle">As List</param>
  <param name="options">
    <list>
      <param name="text">10</param>
      <param name="value">10</param>
    </list>
    <list>
      <param name="text">20</param>
      <param name="selected">True</param>
      <param name="value">20</param>
    </list>
    <list>
      <param name="text">50</param>
      <param name="value">50</param>
    </list>
  </param>

MaxLines

Max lines per event. Create a drop-down that lets you decide between any specified numbers of max lines.

Params

Required

• options = list
  • A list of two items: text and value; and one optional key selected.
  • Text = the text to display.
  • Value = the number of lines, an integer.
  • Set selected=true for a list item that item becomes the default setting for a view.

Optional

None.

Example

   
<module name="MaxLines">
  <param name="options">
     <list>
        <param name="text">5</param>
        <param name="selected">True</param>
        <param name="value">5</param>
     </list>
     <list>
       <param name="text">10</param>
       <param name="value">10</param>
    </list>
    <list>
      <param name="text">20</param>
      <param name="value">20</param>
    </list>
    <list>
      <param name="text">50</param>
      <param name="value">50</param>
    </list>
    <list>
      <param name="text">100</param>
      <param name="value">100</param>
    </list>
    <list>
      <param name="text">200</param>
      <param name="value">200</param>
    </list>
    <list>
      <param name="text">All</param>
      <param name="value">0</param>
    </list>
  </param>

Paginator

Splits events into separate pages and displays a series of links to page around in your data. It must be configured to page either through the 'events' or the 'results' of your search.

Note: It is a good idea to precede EventsViewer with Paginator -- eg EventsViewer is a child of Paginator -- otherwise only one page of events will be displayed.

Params

Required

• entityName = events | results | settings
  • This determines whether the paginator should build links based on the number of events, the number of final results or a settings map change.
  • While these are often the same, in searches with transforming commands these numbers are generally different.

Optional

• count = integer
  • Defaults to 10.
  • Number of events/results displayed per page.

• maxPages = integer
  • Defaults to 10
  • Max number of pages.

Example

<module name="Paginator">
  <param name="count">100</param>
  <param name="entityName">results</param>
  <param name="switcherTitle">As Table</param>
  <param name="maxPages">10</param>

Segmentation

Set the segmentation type for events.

Params

[param:options] required = True label = This is a list whose items have two required keys, 'text' and 'value'. 'value can be one of raw,inner,outer,full.

Required

• options = list
  • A list of two items: text and value; and one optional key selected.
  • Text = the text to display.
  • Value = the value of segmentation, and can be inner, outer, full or raw.
  • Set selected=true for a list item that item becomes the default segmentation for a view.

Optional

• segmentation = inner | outer | full | raw
  • Sticky and persistable.
  • Indicates the segmentation value to broadcast to modules that are listening.

Example

<module name="Segmentation">
  <param name="options">
    <list>
      <param name="text">inner</param>
      <param name="selected">True</param>
      <param name="value">inner</param>
    </list>
    <list>
      <param name="text">outer</param>
      <param name="value">outer</param>
    </list>
    <list>
      <param name="text">full</param>
      <param name="value">full</param>
    </list>
    <list>
      <param name="text">raw</param>
      <param name="value">raw</param>
    </list>
  </param>

SoftWrap

Display a checkbox to toggle soft-wrapping of events. When off, event text breaks in the page only where there is a linebreak in the actual data, and scrollbars appear as necessary. When on, the event text also breaks at the edge of the window.

Params

Required

None.

Optional

• enable = True | False
  • Determines whether softwrap is on by default.
  • Defaults to True.

Example

<module name="SoftWrap">
  <param name="switcherTitle">As List</param>

Include

Use the following modules to add web resources to your view.

ServerSideInclude

Supports server side includes for custom content. Additionally, the Mako (see: http://www.makotemplates.org/) template language is supported.

Caution: Splunk's CSS is not scoped. If you want to add CSS to your page, make sure you scope your CSS or you will overwrite Splunk's default CSS.

Params

Required

• src = URI
  • Specify a static html file to display.
  • This file must exist within this module's src subdirectory.

Optional

None.

Example

<module name="ServerSideInclude">
  <param name="src">hello_world.html</param>
</module>

IFrameInclude

Set up an inline frame (iframe) to show content from another URL.

Params

Required

• src = URI
  • Specify the IFrame's URL.

Optional

• check_exists = False | True
  • Check to see if the remote or local src exists.
  • Note: Skips local app static files if check_exists is set to True.
  • Defaults to False.

• height = auto | number of pixels
  • The numeric pixel value constraint of your iframe.
  • Remote URI's require the appropriate JavaScript document.domain setting for fluid height to work correctly (see http://msdn.microsoft.com/en-us/library/cc196989(VS.85).aspx and https://developer.mozilla.org/en/DOM/document.domain)
  • Defaults to auto.

Example

<module name="IFrameInclude">
  <param name="src">http://www.google.com</param>
</module>