Re: How to fix the "populating" message bug on a m...

nick405060 · ‎01-06-2020

I have a multiselect populated by query that continues to populate after the populating message disappears, so that you cannot even scroll down in the multiselect because it keeps constantly populating.

      <input type="multiselect" token="logs_onChange" id="multiselect_logs">
        <label>Log(s):</label>
        <choice value="All *">All</choice>
        <search>
          <query>
index=wineventlog earliest=-24h latest=now | dedup EventCode | rex field=source "WinEventLog:(?<logname>.+)" | eval log=logname." ".EventCode | sort 0 log | table log
          </query>
        </search>
        <fieldForLabel>log</fieldForLabel>
        <fieldForValue>log</fieldForValue>
        <delimiter>,</delimiter>
        <default>All *</default>
      </input>

It seems that the populating message is on a timer only, and is lying about the actual populating status. How do I fix this?

7.2.0

niketn · ‎01-12-2020

@nick405060 how many values will you have returned in your Multiselect query? Also how long does it take to execute and return? Would the issue be resolved if you show multi-select is displayed after the query completes populating?

Also for the query performance could you run a scheduled search every hour for past 24 hour (or similar schedule as per your data frequency and use case) and populate results of the scheduled search?

PS: If you have more than 10K results or so, still you would face issues with multiselect scroll not responding very well and it is not the right use case for multiselect as well (ideally Users will never select more than 10-20).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nick405060 · ‎01-13-2020

Less than a thousand, usually less than a hundred. It takes a few seconds before the populating message goes away, and 15-120 seconds for the query to populate depending on what my earliest is. Even with earliest=-15m it takes significantly longer for the query to complete than for the populating message to go away. Yeah, the issue would be workaround-ed if the multiselect did not appear until after the query has completed population (as long as there was some elegant notice being like: "hold on, multiselect currently being populated and will appear when completed").

Scheduled search would fix the problem. That's a workaround for sure. I'll probably implement this workaround unless I get an actual fix of the problem.

jkat54 · ‎01-12-2020

 Shouldn't the default value of the token be "*"instead of "all *"?

I think that's your problem.

nick405060 · ‎01-13-2020

No, I purposefully have it be that string all * so that I can later use the same space-based rex on all the multiselect values (which are usually Security 4634 e.g.)

This should not be the issue here. There is no reason this would affect the timer for the populating message especially when it is successfully completing query.

woodcock · ‎01-08-2020

The only way to solve this is to have an additional Pre-filter text input that sets something like $server_name_filter$ that you use this to filter the data going to the existing control by adding this to the end of its populating search:

... | regex value="$server_name_filter$"

This will drastically reduce the number of values going into the existing control. The problem isn't so much that it doesn't finish quickly; it is that the list is so long at the end that the control is pretty much unusable. This solves both problems.

Here is some sample XML:

<form>
  <label>Prefilter Demo Dashboard</label>
  <fieldset autorun="false" submitButton="true">
    </input>
    <input type="text" token="server_name_filter" searchWhenChanged="false">
      <label>RegEx filter for Server Dropdown --&gt;</label>
      <default>.</default>
    </input>
    <input type="dropdown" token="server_name" searchWhenChanged="false">
      <label>(&lt;-- filtered) Server Selector:</label>
      <default>*</default>
      <choice value="*">All</choice>
      <fieldForLabel>server_name</fieldForLabel>
      <fieldForValue>server_name</fieldForValue>
      <search>
        <query>| inputcsv servernamelist.csv | regex server_name="(?i)$server_name_filter$" | table server_name</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
    </input>

nick405060 · ‎01-09-2020

Could you explain this a bit further? I added | regex log="$populate_correctly$" to the end of the query detailed in the question, where $populate_correctly$ comes from

  <input type="text" token="populate_correctly">
    <label>test:</label>
    <default>[\s\S]*</default>
  </input>

No luck, same issue. I also tried generating $populate_correctly$ just using an ad-hoc search, makeresults, and <done>. What am I doing wrong?

woodcock · ‎01-12-2020

See my updated answer with actual XML.

nick405060 · ‎01-13-2020

Unfortunately this doesn't work for me. It may be because I'm using a JS submit button and no fieldset 😕

mhoogcarspel_sp · ‎01-07-2020

Can't repro this with my data and 8.0.1 standalone, but can I suggest stats instead of dedup, with something like this:

index=_internal earliest=-24h latest=now 
| stats count BY component source 
| eval log=component." ".source 
| sort 0 log
| table log

nick405060 · ‎01-07-2020

Same problem with this solution

How to fix the "populating" message bug on a multiselect populated by search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms