I am trying to create a view that creates a dynamically populated drop down list with all the virus names in the past 15 minutes. I tested my search query and it has a tabular formatted list of ThreatName in column1 and count in column2. However, when I input this query in my view though, I can see the Loading in my drop down list, but when it finishes, my list will only contain my static value. I have read the doc over and over again and even used the examples and I've had no luck. Can anyone see what I'm doing wrong here or if this is a known bug?
<module name="SearchSelectLister">
<param name="savedSearch">sourcetype="Sophos" | fields ThreatName | dedup ThreatName | stats count by ThreatName</param>
<param name="settingToCreate">series_setting</param>
<param name="earliest">-15m@m</param>
<param name="searchWhenChanged">False</param>
<param name="label">Threat Name</param>
<param name="searchFieldsToDisplay">
<list>
<param name="label">Threat Name</param>
<param name="value">ThreatName</param>
</list>
</param>
<param name="staticFieldsToDisplay">
<list>
<param name="label">MAL/Dorf-F</param>
<param name="value">MAL/Dorf-F</param>
</list>
</param>
</module>
1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.
<param name="search"> ... your search here ...</param>
(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)
The UI generally warns you about obvious problems like this but I guess this is an exception.
2 One other minor thing worth noting, is that when you define the value
vs the label
in
<param name="label">Threat Name</param>
<param name="value">ThreatName</param>
the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.
I find that it's sometimes easier to construct some things using the Simple XML, then use showsource=1
to convert it to the Advanced XML.
1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.
<param name="search"> ... your search here ...</param>
(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)
The UI generally warns you about obvious problems like this but I guess this is an exception.
2 One other minor thing worth noting, is that when you define the value
vs the label
in
<param name="label">Threat Name</param>
<param name="value">ThreatName</param>
the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.