Solved: Re: How to dynamically load the column names of se...

Taruchit · ‎07-26-2022

Hi All,

I need your help to get list of all field names in a dropdown filter from SPL results at runtime.

Description: -

I have a SPL in panel section of the dashboard.
I need to get the column names of the results dynamically loaded to a dropdown list in the same dashboard.

I tried searching over about it and found a similar post below: -

https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-dropdown-search-on-columns...

However, it tells about using a tag <populatingSearch>.

When I use the above tag, I get a warning: -
Legacy notation: populatingSearch.

Thus, I need your help to build the same.

Thank you.

VatsalJagani · ‎07-26-2022

@Taruchit - Use new notation, use updated simple XML notation.

     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
        <populatingSearch fieldForValue="fieldName" fieldForLabel="fieldName">
              <![CDATA[yourDBconnectsearchhere | fieldsummary maxvals=1 | rename field as fieldName | fields fieldName]>
       </populatingSearch>
     </input>

should be

     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
        <fieldForLabel>fieldName</fieldForLabel>
        <fieldForValue>fieldName</fieldForValue>
        <search>
          <query>yourDBconnectsearchhere | fieldsummary maxvals=1 | rename field as fieldName | fields fieldName</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </input>

Reference for Simple XML - https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Viz/PanelreferenceforSimplifiedXML

I hope this helps!!!

View solution in original post

VatsalJagani · ‎07-26-2022

@Taruchit - Use new notation, use updated simple XML notation.

     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
        <populatingSearch fieldForValue="fieldName" fieldForLabel="fieldName">
              <![CDATA[yourDBconnectsearchhere | fieldsummary maxvals=1 | rename field as fieldName | fields fieldName]>
       </populatingSearch>
     </input>

should be

     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
        <fieldForLabel>fieldName</fieldForLabel>
        <fieldForValue>fieldName</fieldForValue>
        <search>
          <query>yourDBconnectsearchhere | fieldsummary maxvals=1 | rename field as fieldName | fields fieldName</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </input>

Reference for Simple XML - https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Viz/PanelreferenceforSimplifiedXML

I hope this helps!!!

Taruchit · ‎07-27-2022

Thank you @VatsalJagani for your help and inputs.

Taruchit · ‎07-27-2022

Sharing my code for future reference: -

<row>
<panel>
<title>Dropdown to fetch column names</title>
<input type="dropdown" token="searchColumn_Tok">
<label>Select a column to search</label>
<fieldForLabel>fieldName</fieldForLabel>
<fieldForValue>fieldName</fieldForValue>
<search>
<query>|loadjob savedsearch="baseSearch"|fieldsummary maxvals=1 |rename field as fieldName | fields fieldName</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</default>index</default>
</input>
<input type="text" token="value_Tok">
<label>Enter the value for the column</label>
</default>*</default>
</input>
</panel>
</row>
<row>
<panel>
<title></title>
<table>
<search>
<query>|loadjob savedsearch="baseSearch"|search $searchColumn_Tok$="$value_Tok$"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
</table>
</panel>
</row>

One challenge I faced was to define the default field in the dropdown. Here, I selected index because I knew it will be present in all my search query results. But, to make it more dynamic and general for all possible usecases, @VatsalJagani can you please suggest how we can select one of the fields as default field at runtime.

Thank you

VatsalJagani · ‎07-27-2022

@Taruchit - You can use the below option under <input> to select whatever is the first result as the default value.

<selectFirstChoice>true</selectFirstChoice>

I hope this helps!! Upvote if it does!!!

Taruchit · ‎07-27-2022

Thank you for your prompt response. The code worked successfully.

Taruchit · ‎07-26-2022

Thank you @VatsalJagani for sharing your inputs.

I saved my base search in a report and tried to fetch the column names by using part of your code as below: -

|loadjob savedsearch="baseSearch"|fieldsummary maxvals=1 |rename field as fieldName |fields fieldName

I am getting list of all fields except for "_time".

Can you please suggest the changes needed in the above to get the required field?

Thank you

VatsalJagani · ‎07-26-2022

@Taruchit - You are filtering the fields with the fields command

|fields fieldName

Make sure you have _time field in the list in order to populate it.

Taruchit · ‎07-27-2022

Thank you for sharing your inputs.

In my base search, I use

max(_indextime) AS _time

And it does not gets displayed under the list of fields.

However, when I change the base search to

max(_indextime) AS MaxTime

I see the field gets displayed under list of fields and in the dropdown menu.

VatsalJagani · ‎07-27-2022

I've never encountered it before, but yeah no harm in renaming it before using it.

How to dynamically load the column names of search results in dropdown list?

panel

simple XML

token

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?