Splunk Enterprise Security

Dropdown: Could not create search


This is a dependent dropdown. since the token in query,ac_domain has value, customer_name.
index has fields aws_account_id and Account_Name.
Lookup has fields customer_name and aws_account_id.
We want our dropdown to populate values for field Account_Name.
Hence, we used join command.

index=abc* | table aws_account_id Account_Name
|join type=left aws_account_id 
[|inputlookup aws_customer_lookup |fields aws_account_id customer_name ]
|table aws_account_id customer_name Account_Name
| where customer_name=$ac_domain$
| mvexpand Account_Name |dedup Account_Name 
| table Account_Name

Field for label = Account_Name
Field for Value=Account_Name

It shows error as "Could not create search"
alt text

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...