Splunk Enterprise Security

Dropdown: Could not create search

snigdhasaxena
Communicator

This is a dependent dropdown. since the token in query,ac_domain has value, customer_name.
index has fields aws_account_id and Account_Name.
Lookup has fields customer_name and aws_account_id.
We want our dropdown to populate values for field Account_Name.
Hence, we used join command.
query:

index=abc* | table aws_account_id Account_Name
|join type=left aws_account_id 
[|inputlookup aws_customer_lookup |fields aws_account_id customer_name ]
|table aws_account_id customer_name Account_Name
| where customer_name=$ac_domain$
| mvexpand Account_Name |dedup Account_Name 
| table Account_Name

Field for label = Account_Name
Field for Value=Account_Name

It shows error as "Could not create search"
alt text

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.