Dashboards & Visualizations

how do i populate a drop down with my search query results using advanced XML

preetigarg
New Member

I need to create a drop down which will contain the results of a search query.

I am using the following code.




index=_audit | stats count AS aa by user


aa
dropdown


aa
aa



full


But the above code shows only "Loading.." message and never populates the drop down.
Please suggest a possible solution.

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

Like Ayn pointed out, you need the SideviewUtils module in your view. If you go back to the homepage of the Sideview Utils app you'll see it calls out a couple little things you need to know to get started, and that's one of them.

After you put the SideviewUtils module in, you'll still have a few problems and I recommend simply reviewing the docs and examples around the Pulldown module.

One specific problem is that you're using the "aa" field to render both the value and the label of the Pulldown's options, but looking at your search these "aa" values will just be integers, which wont make very meaningful options for the user. I think you probably want to use the 'user' field for both the values and the labels of your Pulldown options.

<module name="Pulldown">
  <param name="name">user</param>
  <param name="label">dropdown</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">user</param>
      <param name="value">user</param>
    </list>
  </param>

But note that with a relatively recent Sideview Utils you can just use valueField instead of the older and more cumbersome searchFieldsToDisplay param, and since your label is the same you can omit the labelField param and it'll use the value automatically, and that you can use $name$ as a shorthand to avoid repeating the 'user' part.

ie

<module name="Pulldown">
  <param name="name">user</param>
  <param name="label">User</param>
  <param name="valueField">$name$</param>

All this is explained more in the Pulldown documentation.

And last, when you get the Pulldown rendering correctly, you'll want to use its value somehow or it wont do much good =). I suggest using the "template" param to wrap user="" around the selected value, and then using the nicely templated selected user value in a Search module like so:

<module name="Pulldown">
  <param name="name">user</param>
  <param name="label">User</param>
  <param name="valueField">$name$</param>
  <param name="template">$name$="$value$"</param>
  <module name="Search">
    <param name="search">index=_audit $user$</param>
    <module name="EventsViewer" layoutpanel="resultsAreaLeft">
      <param name="segmentation">full</param>
    </module>
  </module>
</module>
0 Karma

Ayn
Legend

Pulldown is a Sideview Utils module, but you're not loading Sideview Utils anywhere in your XML. Refer to the (excellent!) Sideview Utils documentation on how to load it.

sowings
Splunk Employee
Splunk Employee

Note that if you want to do it without SideView you can, but the syntax is a bit different.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...