Splunk Search

How to populate dropdown input with ids from search?

vtsguerrero
Contributor

Can anyone please help me to populate a Dropdown input with the ids from this this search:
index=main sourcetype=mainperfomance ChannelCode="*"
I need to make a table that auto searches registers within the selected channels...

Tags (4)
1 Solution

bwooden
Splunk Employee
Splunk Employee

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command).

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>

View solution in original post

ThomasControlw1
Explorer

thanks for this soulution, works perfekt

0 Karma

bwooden
Splunk Employee
Splunk Employee

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command).

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>

bwooden
Splunk Employee
Splunk Employee

If you're using latest version of Splunk, much of the work (creating the form, adding the dropdown, adding a populating search, etc) can be done via the UI's dashboard editor. Additionally, this app has many great Simple XML dashboard examples: http://apps.splunk.com/app/1603/

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...