Solved: Populating Form Dropdowns via searches

mcwomble · ‎12-13-2010

I have a question regarding the population of dropdowns via saved searches.

The examples in the Splunk documentation show a search similar to the following:

   <populatingSearch fieldForValue="suser" fieldForLabel="suser"><!CDATA[sourcetype=p4change | rex "user=(?<suser>\w+)@" | stats count by suser]]></populatingSearch>

However, I am slightly confused (maybe because the search in the examples is quite complex) on how this is carried out in practice.

I wish to populate the dropdown with the contents of the partner field which has up to 200 different values within the indexed data. The string being as follows:

2010/12/13@13:31:22,billstats,partner=XXXX,cde=XX,usd=XX

How would I write the example population string in a way which can parse my indexed data in a way that could populate the dropdown?

ziegfried · ‎12-13-2010

<populatingSearch fieldForValue="partner" fieldForLabel="partner">
    sourcetype=your_sourcetype | fields partner | dedup partner
</populatingSearch>

View solution in original post

ziegfried · ‎12-13-2010

<populatingSearch fieldForValue="partner" fieldForLabel="partner">
    sourcetype=your_sourcetype | fields partner | dedup partner
</populatingSearch>

mcwomble · ‎12-14-2010

Brilliant! That works a treat

Populating Form Dropdowns via searches

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...