Solved: Re: SearchSelectLister Does Not Populate

novaMark · ‎06-03-2010

I am trying to create a view that creates a dynamically populated drop down list with all the virus names in the past 15 minutes. I tested my search query and it has a tabular formatted list of ThreatName in column1 and count in column2. However, when I input this query in my view though, I can see the Loading in my drop down list, but when it finishes, my list will only contain my static value. I have read the doc over and over again and even used the examples and I've had no luck. Can anyone see what I'm doing wrong here or if this is a known bug?

<module name="SearchSelectLister">
  <param name="savedSearch">sourcetype="Sophos" | fields ThreatName | dedup ThreatName | stats count by ThreatName</param>
  <param name="settingToCreate">series_setting</param>
  <param name="earliest">-15m@m</param>
  <param name="searchWhenChanged">False</param>
  <param name="label">Threat Name</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">Threat Name</param>
      <param name="value">ThreatName</param>
    </list>
  </param>
  <param name="staticFieldsToDisplay">
    <list>
      <param name="label">MAL/Dorf-F</param>
      <param name="value">MAL/Dorf-F</param>
    </list>
  </param>
</module>

sideview · ‎06-03-2010

1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.

<param name="search"> ... your search here ...</param>

(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)

The UI generally warns you about obvious problems like this but I guess this is an exception.

2 One other minor thing worth noting, is that when you define the value vs the label in

<param name="label">Threat Name</param>
<param name="value">ThreatName</param>

the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.

View solution in original post

gkanapathy · ‎06-04-2010

I find that it's sometimes easier to construct some things using the Simple XML, then use showsource=1 to convert it to the Advanced XML.

sideview · ‎06-03-2010

1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.

<param name="search"> ... your search here ...</param>

(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)

The UI generally warns you about obvious problems like this but I guess this is an exception.

2 One other minor thing worth noting, is that when you define the value vs the label in

<param name="label">Threat Name</param>
<param name="value">ThreatName</param>

the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.

SearchSelectLister Does Not Populate

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!