Thanks in advance .
I am trying to fetch application name and inteface details from input lookup and match with the splunk query .But i am getting below error.
<input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$">
<label>ApplicationName</label>
<choice value="*">All</choice>
<search>
<query>
| inputlookup BankIntegration.csv
| dedup APPLICATION_NAME
| sort APPLICATION_NAME
| table APPLICATION_NAME
</query>
</search>
<fieldForLabel>ApplicationName</fieldForLabel>
<fieldForValue>APPLICATION_NAME</fieldForValue>
<default>*</default>
<prefix>applicationName="</prefix>
<suffix>"</suffix>
</input>
<input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$">
<label>InterfaceName</label>
<choice value="*">All</choice>
<search>
<query>
| inputlookup BankIntegration.csv
| search $BankApp$
| sort INTERFACE_NAME
| table INTERFACE_NAME
</query>
</search>
<fieldForLabel>InterfaceName</fieldForLabel>
<fieldForValue>INTERFACE_NAME</fieldForValue>
<default>*</default>
<prefix>InterfaceName="</prefix>
<suffix>"</suffix>
</input>
Try changing the applicationName to APPLICATION_NAME in the prefix
<input type="dropdown" token="BankApp" searchWhenChanged="true">
<label>ApplicationName</label>
<choice value="*">All</choice>
<search>
<query>
| inputlookup BankIntegration.csv
| dedup APPLICATION_NAME
| sort APPLICATION_NAME
| table APPLICATION_NAME
</query>
</search>
<fieldForLabel>ApplicationName</fieldForLabel>
<fieldForValue>APPLICATION_NAME</fieldForValue>
<default>*</default>
<prefix>APPLICATION_NAME="</prefix>
<suffix>"</suffix>
</input>
in the second look up, you are trying to filter with applicationName="" where as the lookup file seems to have APPLICATION_NAME as header
Yes, But its still showing same error
index=mulesoft environment=$env$ applicationName=$BankApp$ InterfaceName=$interface$ (priority="ERROR" OR priority="WARN") | stats values(*) as * by correlationId | rename content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName
content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where FileList!=" "
Since you already have applicationName=" as your prefix, this line
index=mulesoft environment=$env$ applicationName=$BankApp$ InterfaceName=$interface$
will expand to
index=mulesoft environment=$env$ applicationName=applicationName="*" InterfaceName=InterfaceName="*"
Either remove applicationName= from your prefix or from your search
index=mulesoft environment=$env$ $BankApp$ $interface$
Your fieldForLabel has to be a field returned by the search query, which it isn't in both instances