Splunk Search

legacy notation: populating search for populating a tickbox input.

HattrickNZ
Motivator

I have the following bit of code that does a search. The results of that search populates a tickbox input. I wrote it a while ago but now it is giving me a validation warning legacy notation: populating search.

So the issue is populatingSearch. Can anyone tell me a better way of doing this? I presume it has to do with my current splunk being a newer version than when I wrote this? So I just want to know what the equivalent is on the newer version?

    <input type="checkbox" token="apn" searchWhenChanged="true"> <!-- checkbox dropdown --> 
      <label>Select a APN:</label>
      <default>internet</default>
      <!-- <choice value="*">All</choice> --> 
      <!-- The final value will be surrounded by prefix and suffix -->
      <prefix>(</prefix>
      <suffix>)</suffix>
      <!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
      <valuePrefix>APN="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
      <delimiter> OR </delimiter>
      <populatingSearch fieldForValue="APN" fieldForLabel="APN" earliest="-24h" latest="now">
        <![CDATA[index=X ... | stats  sum(KPI1) as "KPINAME" by APN ]]>
      </populatingSearch>
    </input>

using splunk 6.5.0

EDIT1

Just revisting this.

In the links provided below by X, I can see this example of an input tag being filled using populatingSearch, but it also says taht it is deprecated Deprecated: Use the <search> element as a child of an input element to dynamically populate choices for a form input.

<input type="dropdown" token="source_tok" searchWhenChanged="true">
  <label>Select a source type</label>
  <choice value="*">All</choice>
  <populatingSearch earliest="-24h@h" latest="now"
        fieldForLabel="sourcetype" fieldForValue="sourcetype">
           index=_internal | stats count by sourcetype
  </populatingSearch>
  <prefix>sourcetype="</prefix>
  <suffix>"</suffix>
  <default>*</default>
</input>

How do I write the above using a search tag as the child of input, as opposed to using populateSearch
I was thinking along the lines of something like this, but I have so far not got it working. Can anyone advise?

<input type="dropdown" token="source_tok2" searchWhenChanged="true">
  <label>Select a source type 2</label>
  <choice value="*">All</choice>
  <search>
           <query>
             index=_internal | stats count by sourcetype
          </query>
  </search>
  <default>*</default>
</input>
Tags (1)
0 Karma

koshyk
Super Champion

Putting an example to make it simpler

  • good practice to put "_tok" in the token name, so it is not confused with field/label names
  • also try to query wrapped in CDATA just to ensure double quotes, arrow symbols won't cause problems
  • uses "search" rather than the deprecated "populatingSearch" notation
  • and is a working dashboard (to try out)

sample code

<form>
  <label>REMOVE THIS DASHBOARD ANYTIME</label>
  <description>Some Description</description>
  <fieldset autoRun="false">
    <input type="dropdown" token="sourcetype_tok" searchWhenChanged="false">
      <label>label_name</label>
      <choice value="*">All</choice>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
      <query>
        <![CDATA[index=_internal | stats count by sourcetype
        ]]>
      </query>
      <earliest>$timeSpan.earliest$</earliest>
      <latest>$timeSpan.latest$</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
    </input>
    <input type="time" token="timeSpan">
      <label>Time Picker</label>
      <default>
        <earliest>-1h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Event Details</title>
        <search>
          <query>
          <![CDATA[index=_internal sourcetype=$sourcetype_tok$
            | head 1000
            | table _time,index,sourcetype,source,_raw
            ]]>
          </query>
        <earliest>$timeSpan.earliest$</earliest>
        <latest>$timeSpan.latest$</latest>
        </search>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
</form>

oumukoro
Engager

I have this same issue with Splunk 7.0 enterprise. Is there a fix for this? I don't know much of XML to fix this

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's the 6.2 note about the deprecated populating search. According to the new architecture, that element's function is now accomplished by writing a search for a child element.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#populatingSearc...

It's on the same page, but here's a direct link for the search element you use instead...

http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#Search_element

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...