Dashboards & Visualizations

Populate dropdown from searchTemplate

Simon
Contributor

Hi all,

in Splunk 6 SimpleXML dashboards, there is support for a global search template (<searchTemplate />) and postprocessing (<searchPostProcess />) in panels later.
Is it somehow possible to postprocess the searchtemplate to populate a dropdown input?

Thanks,
Simon

gfreitas
Builder

Hi Simon,

I have some dashboards that populate a dropdown, it's like this:

<fieldset>
<input type="dropdown" token="dropdownlabel">
<label>Select:</label>
<populatingSearch fieldForValue="dropdownlabel" fieldForLabel="dropdownlabel">
<![CDATA[sourcetype="src" earliest=-7d | stats count by dropdownlabel]]>
</populatingSearch>
</input>
<input type="time">
<default>Last 7 days</default>
</input>
</fieldset>

You just needs to wait some seconds until the search return the list of dropdown and then select the content.
Hope this helps!

cramasta
Builder

Anyone from Splunk able to comment on this? I would also like to postprocess the search template to populate my values in the dropdown menu.

0 Karma

helenashton
Path Finder

did you ever find an answer to this?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I believe works only for row elements.

0 Karma

Simon
Contributor

And later of course

Hello,
Thanks I was aware of this option!
I rather was searching for a solution to only have one running search,e.g.

<row>
    <chart>
      <searchPostProcess>search sourcetype="$sourcetype$"|  timechart count by sourcetype
      ...
    </chart>
</row>
0 Karma

Simon
Contributor

Hello,
Thanks I was aware of this option!
I rather was searching for a solution to only have one running search,e.g.

<form>
  <searchTemplate>index=_internal</searchTemplate>
  <fieldset>
    <input type="dropdown" token="sourcetype=" fieldForValue="sourcetype" fieldForLabel="label">
     <searchPostProcess>stats count by sourcetype | eval label=sourcetype." (".count.")"</searchPostProcess>
     <choice value="*">All</choice>
     <default>*</choice>
    </input>
  </fieldset>
</form>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...