- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mcwomble
Path Finder
12-13-2010
07:39 AM
I have a question regarding the population of dropdowns via saved searches.
The examples in the Splunk documentation show a search similar to the following:
<populatingSearch fieldForValue="suser" fieldForLabel="suser"><!CDATA[sourcetype=p4change | rex "user=(?<suser>\w+)@" | stats count by suser]]></populatingSearch>
However, I am slightly confused (maybe because the search in the examples is quite complex) on how this is carried out in practice.
I wish to populate the dropdown with the contents of the partner field which has up to 200 different values within the indexed data. The string being as follows:
2010/12/13@13:31:22,billstats,partner=XXXX,cde=XX,usd=XX
How would I write the example population string in a way which can parse my indexed data in a way that could populate the dropdown?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
12-13-2010
09:34 AM
<populatingSearch fieldForValue="partner" fieldForLabel="partner">
sourcetype=your_sourcetype | fields partner | dedup partner
</populatingSearch>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
12-13-2010
09:34 AM
<populatingSearch fieldForValue="partner" fieldForLabel="partner">
sourcetype=your_sourcetype | fields partner | dedup partner
</populatingSearch>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mcwomble
Path Finder
12-14-2010
04:07 AM
Brilliant! That works a treat
