Bit of a documentation fail--from the manual about form dropdowns:
populatingSearch
A search used to generate fields for the drop-down.
Attributes :
"fieldForValue" : Required. This is the field extracted from the populatingSearch and placed in the value of the generated drop-down option.
"fieldForLabel" : Required. This is the field extracted from the populatingSearch and placed in the label of the generated drop-down.
"earliest" : Optional. Earliest time set in Splunk time format.
"latest" : Optional. Latest time set in Splunk time format.
How do you invoke earliest and latest in this context? I've tried various incantations but a search which takes < 1 second in the search bar takes more than a minute as a populating search. I think the reason is that it's searching 'All time' but I don't seem to able to prevent this.
There are no examples anywhere for this specific usage, that I can find anyway. I've used all the ones I have found in other places, but nothing works.
The rest of the search I'm using works fine, just takes too long.
Here is a snippet of a simple XML form search. It is not the complete search form. Let me know if you have trouble - I might have slipped and anonymized it wrong.
<searchTemplate>sourcetype=sendmail mailto="*$email$*" earliest=-7d@d | stats count by date_day, date_wday</searchTemplate>
<fieldset>
<input type="dropdown" token="email">
<label>Select an email address</label>
<choice value="*">Any</choice>
<populatingSearch fieldForValue="mailto" fieldForLabel="mailto">
<![CDATA[sourcetype=sendmail earliest=-7d | stats count by mailto]]>
</populatingSearch>
</input>
</fieldset>
I think this is a reasonable example. Note that I added "earliest=" to both searches!
Fine and dandy--dropdown populates instantly or thereabouts.
Thanks!