Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Drop down with Saved Search does not respond t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drop down with Saved Search does not respond to time token change and Submit button present
Dear All
I have a Drop Down (named Database) which loads list of options dynamically via a search initially started in a saved-search, saved top of the form. The form has also a time token input and a Submit button. The saved search is bound to the time token (see code below)
The problem is that when I change the time in the time token - the Drop-Down list of values is not refreshed.
Please see the code below, start of the form to Submit button:
<form>
<label>Scan Compare 001</label>
<!-- This limits events passed to post-process search -->
<search id="vln_base">
<query>
`mc_vln`
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<search id="vln_cmp">
<query>`mc_comp($field_scan_run_id$,$field_scan_bs_id$)`</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1" searchWhenChanged="false">
<label>Time</label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="field_db_name" searchWhenChanged="true">
<label>Database</label>
<fieldForLabel>DB_NAME</fieldForLabel>
<fieldForValue>DB_NAME</fieldForValue>
<search base="vln_base">
<query>DEDUP DB_NAME | FIELDS DB_NAME</query>
</search>
<change>
<set token="db_name_no_quotes">$value$</set>
</change>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
<input type="dropdown" token="field_scan_run_id" searchWhenChanged="false">
<label>Scan Id Run</label>
<search base="vln_base">
<query>search DB_NAME=$field_db_name$
| stats
earliest(_time) as SCAN_DT_START
by DB_NAME SCAN_ID
| sort - SCAN_DT_START</query>
</search>
<fieldForLabel>SCAN_ID</fieldForLabel>
<fieldForValue>SCAN_ID</fieldForValue>
<change>
<set token="scan_run_id_no_quotes">$value$</set>
</change>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
<input type="dropdown" token="field_scan_bs_id" searchWhenChanged="false">
<label>Scan Id Baseline</label>
<fieldForLabel>SCAN_ID</fieldForLabel>
<fieldForValue>SCAN_ID</fieldForValue>
<change>
<set token="scan_bs_id_no_quotes">$value$</set>
</change>
<search base="vln_base">
<query>
<![CDATA[
search DB_NAME=$field_db_name$
| stats
earliest(_time) as SCAN_DT_START
by DB_NAME SCAN_ID
| sort - SCAN_DT_START
]]>
</query>
</search>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
<input type="dropdown" token="field_cmp_code" searchWhenChanged="true">
<label>Comparison</label>
<showClearButton>false</showClearButton>
<choice value="ALL_NO_FIELD_ALL">ALL</choice>
<choice value="Unchanged">Changes Only</choice>
<selectFirstChoice>true</selectFirstChoice>
</input>
</fieldset>
<row>
.......................................................................................................
If I renounce using a saved search in the Database drop down, and use a direct search (see code below)
<input type="dropdown" token="field_db_name" searchWhenChanged="true">
<label>Database</label>
<fieldForLabel>DB_NAME</fieldForLabel>
<fieldForValue>DB_NAME</fieldForValue>
<search base="vln_base">
<query>DEDUP DB_NAME | FIELDS DB_NAME</query>
</search>
<change>
<set token="db_name_no_quotes">$value$</set>
</change>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
replaced with
<input type="dropdown" token="field_db_name" searchWhenChanged="true">
<label>Database</label>
<fieldForLabel>DB_NAME</fieldForLabel>
<fieldForValue>DB_NAME</fieldForValue>
<search>
<query>index=omega_ds | DEDUP DB_NAME | FIELDS DB_NAME</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<change>
<set token="db_name_no_quotes">$value$</set>
</change>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
then the Database Drop Down starts responding to changes in token, it reloads the options list each time the time is changed.
Back into the problematic case with saved search - I can have the Database Drop Down reloaded by pressing the Submit button. But I need to have it respond to the Time Picker (token) - the Submit button is needed for later (in form) dashboards.
My question:
Q1. Why the options list search direct VS / saved-search makes a difference on this?
Q2. How can I have this problem fixed by using saved-search in the Drop-Down?
best regards,
Altin
at your disposal for further info/query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
resolved by enabling Search on Change on the Time component
<input type="time" token="field1" searchWhenChanged="true">
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
