All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sideview_Utils : Can't populate a pulldown dynamically

srw46
Path Finder
‎08-19-2011 12:37 AM

I'm sure I'm being a little stupid here but I can't seem to get dynamic generated options on a pulldown. I'm not sure I've understood correctly how this works but there is only so many times and I can reread the example. Could anybody help a noob out?

 <module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
<param name="search">sourcetype="ttm" | stats values(ttm_system_ID) | dedup series | sort series | fields series</param>
<param name="earliest">-1h</param>
<param name="latest">now</param>

<module name="Pulldown">
  <param name="name">selectedSourcetype</param>
  <param name="label">Sourcetype</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">series</param>
      <param name="value">series</param>
    </list>
  </param>

I'm trying to recover every value for field "ttm_system_id" for every "ttm" sourcetype so that the pulldown options = every system_ID we're logging on TTM.

Can anybody advise me where I'm going wrong? Is piping to stats upsetting things because I can't see another why to pull those values out?

Thank you

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-19-2011 08:38 PM

You've copied and pasted from an example but then you've only changed one little part of it. Most importantly, you need to understand the search first by running it in the main search UI and making sure it gets what you think it's getting.

The search you're running is: 

sourcetype="ttm" | stats values(ttm_system_ID) | dedup series | sort series | fields series

and then you're telling the Pulldown to look for a field called 'series'. Everything from dedup series onward is copied and pasted from an example view, but that field wont be there because the first part of the search isn't creating any fields called series. In fact the stats values(ttm_system_ID) is also not going to be useful to you, because this will just give you a single row with a 'multivalued-field' whose name is 'values(ttm_system_ID)'.

So always start by running your search in the main search UI to get a handle on it. Make sure you understand what each pipe is doing and that it's doing what you need before pasting it into any kind of XML view.

I'm thinking the search you want up there is more like this: 

sourcetype="ttm" | dedup ttm_system_ID | sort ttm_system_ID

From there of course you have to configure the Pulldown to look for the 'ttm_system_ID' field instead of the 'series' field. But hopefully now that you see that 'series' is just a field name and not any kind of special keyword, the rest of the config will make more sense.

Here's an attempt to show you the correct config overall: 

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">sourcetype="ttm" | dedup ttm_system_ID | sort ttm_system_ID</param>
  <param name="earliest">-1h</param>
  <param name="latest">now</param>

  <module name="Pulldown">
    <param name="name">ttm_system_ID</param>
    <param name="label">system ID</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">ttm_system_ID</param>
        <param name="value">ttm_system_ID</param>
      </list> 
    </param>

And then in all the config downstream from the Pulldown, you can refer to the user's selected option as $ttm_system_ID$.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-19-2011 08:38 PM

You've copied and pasted from an example but then you've only changed one little part of it. Most importantly, you need to understand the search first by running it in the main search UI and making sure it gets what you think it's getting.

The search you're running is: 

sourcetype="ttm" | stats values(ttm_system_ID) | dedup series | sort series | fields series

and then you're telling the Pulldown to look for a field called 'series'. Everything from dedup series onward is copied and pasted from an example view, but that field wont be there because the first part of the search isn't creating any fields called series. In fact the stats values(ttm_system_ID) is also not going to be useful to you, because this will just give you a single row with a 'multivalued-field' whose name is 'values(ttm_system_ID)'.

So always start by running your search in the main search UI to get a handle on it. Make sure you understand what each pipe is doing and that it's doing what you need before pasting it into any kind of XML view.

I'm thinking the search you want up there is more like this: 

sourcetype="ttm" | dedup ttm_system_ID | sort ttm_system_ID

From there of course you have to configure the Pulldown to look for the 'ttm_system_ID' field instead of the 'series' field. But hopefully now that you see that 'series' is just a field name and not any kind of special keyword, the rest of the config will make more sense.

Here's an attempt to show you the correct config overall: 

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
  <param name="search">sourcetype="ttm" | dedup ttm_system_ID | sort ttm_system_ID</param>
  <param name="earliest">-1h</param>
  <param name="latest">now</param>

  <module name="Pulldown">
    <param name="name">ttm_system_ID</param>
    <param name="label">system ID</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">ttm_system_ID</param>
        <param name="value">ttm_system_ID</param>
      </list> 
    </param>

And then in all the config downstream from the Pulldown, you can refer to the user's selected option as $ttm_system_ID$.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎08-22-2011 11:00 AM

Not at all. There's often a big gap when people first see the Advanced XML, between how they imagine it would work and how it actually works. XML and HTML bring so many preconceived notions and the system compounds the problem by being pretty unintuitive sometimes. Happy to help.

0 Karma
Reply
Solved! Jump to solution

srw46
Path Finder
‎08-22-2011 01:07 AM

This has cleared things up for me a lot. Thanks for taking the time to respond to this, which must seem very elementary to you!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...