Archive

SearchSelectLister Does Not Populate

New Member

I am trying to create a view that creates a dynamically populated drop down list with all the virus names in the past 15 minutes. I tested my search query and it has a tabular formatted list of ThreatName in column1 and count in column2. However, when I input this query in my view though, I can see the Loading in my drop down list, but when it finishes, my list will only contain my static value. I have read the doc over and over again and even used the examples and I've had no luck. Can anyone see what I'm doing wrong here or if this is a known bug?

<module name="SearchSelectLister">
  <param name="savedSearch">sourcetype="Sophos" | fields ThreatName | dedup ThreatName | stats count by ThreatName</param>
  <param name="settingToCreate">series_setting</param>
  <param name="earliest">-15m@m</param>
  <param name="searchWhenChanged">False</param>
  <param name="label">Threat Name</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">Threat Name</param>
      <param name="value">ThreatName</param>
    </list>
  </param>
  <param name="staticFieldsToDisplay">
    <list>
      <param name="label">MAL/Dorf-F</param>
      <param name="value">MAL/Dorf-F</param>
    </list>
  </param>
</module>
Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.

<param name="search"> ... your search here ...</param>

(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)

The UI generally warns you about obvious problems like this but I guess this is an exception.

2 One other minor thing worth noting, is that when you define the value vs the label in

<param name="label">Threat Name</param>
<param name="value">ThreatName</param>

the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.

View solution in original post

Splunk Employee
Splunk Employee

I find that it's sometimes easier to construct some things using the Simple XML, then use showsource=1 to convert it to the Advanced XML.

0 Karma

SplunkTrust
SplunkTrust

1 The main thing is that the 'savedSearch' param takes a saved search name.
Here you're giving it an inline search string, it's not finding any saved search by that name.
So instead you need to use the 'search' param.

<param name="search"> ... your search here ...</param>

(also note that if 'savedSearch' IS defined, it will ignore any 'earliest' and 'latest' params)

The UI generally warns you about obvious problems like this but I guess this is an exception.

2 One other minor thing worth noting, is that when you define the value vs the label in

<param name="label">Threat Name</param>
<param name="value">ThreatName</param>

the assumption is that they are both fields. But it seems unlikely that there's a field literally called "Threat Name" in the events themselves so that's probably being ignored and might be causing a secondary problem.

View solution in original post