Dashboards & Visualizations

SearchSelectLister Does Not Populate

novaMark
New Member

I am trying to create a view that creates a dynamically populated drop down list with all the virus names in the past 15 minutes. I tested my search query and it has a tabular formatted list of ThreatName in column1 and count in column2. However, when I input this query in my view though, I can see the Loading in my drop down list, but when it finishes, my list will only contain my static value. I have read the doc over and over again and even used the examples and I've had no luck. Can anyone see what I'm doing wrong here or if this is a known bug?

<module name="SearchSelectLister">
  <param name="savedSearch">sourcetype="Sophos" | fields ThreatName | dedup ThreatName | stats count by ThreatName</param>
  <param name="settingToCreate">series_setting</param>
  <param name="earliest">-15m@m</param>
  <param name="searchWhenChanged">False</param>
  <param name="label">Threat Name</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">Threat Name</param>
      <param name="value">ThreatName</param>
    </list>
  </param>
  <param name="staticFieldsToDisplay">
    <list>
      <param name="label">MAL/Dorf-F</param>
      <param name="value">MAL/Dorf-F</param>
    </list>
  </param>
</module>
Tags (1)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.

<param name="search"> ... your search here ...</param>

(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)

The UI generally warns you about obvious problems like this but I guess this is an exception.

2 One other minor thing worth noting, is that when you define the value vs the label in

<param name="label">Threat Name</param>
<param name="value">ThreatName</param>

the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

I find that it's sometimes easier to construct some things using the Simple XML, then use showsource=1 to convert it to the Advanced XML.

0 Karma

sideview
SplunkTrust
SplunkTrust

1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.

<param name="search"> ... your search here ...</param>

(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)

The UI generally warns you about obvious problems like this but I guess this is an exception.

2 One other minor thing worth noting, is that when you define the value vs the label in

<param name="label">Threat Name</param>
<param name="value">ThreatName</param>

the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...