Re: Dropdown with eventtypes

dackamen · ‎01-07-2015

Is there a way to create dropdown box where you can select one of all the eventtypes?

I currently have this but it takes long time and resources to collect and display all the eventtypes:

  <input type="dropdown" token="field2">
    <label>Eventtype</label>
    <populatingSearch fieldForValue="eventtype">index=* | stats count by host, eventtype</populatingSearch>
  </input>

Is it possible at all or no?

somesoni2 · ‎01-07-2015

The fastest way to do it is using REST API calls. Try this

 <input type="dropdown" token="field2">
<label>Eventtype</label>
<populatingSearch fieldForValue="eventtype">| rest /services/saved/eventtypes | table title | rename title as eventtype</populatingSearch>
</input>

gabetheISguy · ‎01-07-2015

Yes! It is

Here is a Sample

<input type="dropdown" token="eventtype" searchWhenChanged="false">
<label>Select an Event Type to proceed</label>
<choice value="*">All</choice>
<populatingSearch fieldForLabel="eventtype" fieldForValue="eventtype">
<![CDATA[index="xxxxxxxindex" sourcetype=xxxxxx | stats count by eventtype | dedup eventtype | fields eventtype]]>
</populatingSearch>
<default>*</default>
</input>

Raghav2384 · ‎01-07-2015

Try it without stats and host.

Index =x sourcetype=x|top 25 eventtypes

Raghav2384 · ‎01-07-2015

Try narrowing it down to eventtypes field only

Index= * |fields eventtype|top 25 eventtypes

Keep changing the top x
Thanks,
Raghav

Dropdown with eventtypes

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Dropdown with eventtypes

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR