Hi,
I tried to use post search to populate list options:
<search id="baseSearch">
<query>
<![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/"
]]>
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<fieldset submitButton="false">
<input type="time" token="field2">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="d_name" searchWhenChanged="true">
<label>Select a department</label>
<choice value="*">All</choice>
<search base="baseSearch">
<query>
stats count by deptcode
</query>
</search>
<fieldForLabel>deptcode</fieldForLabel>
<fieldForValue>deptcode</fieldForValue>
</input>
</fieldset>
However, using single search works as expected:
<input type="dropdown" token="d_name" searchWhenChanged="true">
<label>Select a department</label>
<choice value="*">All</choice>
<search>
<query>
<![CDATA[index=application host="myhost*" status<400| rex field=uri "\/(?<deptcode>[^\/]+)\/" | stats count by deptcode
]]>
</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<fieldForLabel>deptcode</fieldForLabel>
<fieldForValue>deptcode</fieldForValue>
</input
Post search in panels in the same form also not working. Would anyone please help?
Sorry for the newbie question.
Thanks a lot.
Regards,
/ST Wong
Try specifying the field explicitly in the base search and/or in the sub search. ie , after your base search try adding
your search | fields deptcode,other fields>
Try specifying the field explicitly in the base search and/or in the sub search. ie , after your base search try adding
your search | fields deptcode,other fields>
Thanks. The drop down list works after appending "fields" to the base search. May I know the reason behind?
However, post search in panels still not working (just "waiting for data"). e.g.
<panel>
<title>Time distribution of browser for department $d_name$</title>
<chart>
<search base="baseSearch">
<query>
search deptcode=$d_name$ | rename useragent as http_user_agent | lookup user_agents http_user_agent | timechart count by ua_family usenull=f useother=f
</query>
</search>
Again, using full search instead of base+post search works before. Would you help again?
Thanks a lot.
See the details of search mode here : http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changethesearchmode
The user field extraction might not get effected when it runs in smart/fast mode.
For your second issue, try the same trick by adding fields at the end of drop down search
ie :
stats count by deptcode|fields deptcode
If it's not working , click on the search icon on the panel (below) and see what's the final search it's running. From there you will be able to identify
Got it. Passing more fields in base search makes post search work, however, the time range earliest and latest nodes specified in base search can't be passed to post searches. I also can't specify or nodes in post search (gives unknown node error if i specify them in post search). Probably something else is missed in my code....
Sorry that i accidentally added token="xxx" in time picker instead of using default time_tok. It works after removing the token field.
Somes post-process searches can only use default time_tok, right?