Splunk Search

Assistance with Creating Form Search with Dropdown Referencing Lookup

jodros
Builder

This is my first form search view so I am still learning. I have read a few threads on answers and read up on some documentation about creating form searches in advanced XML. I am still not completely comfortable with "intentions" and other parts. I have tried creating a form search using 1 hidden search and 2 string replace (1 text and 1 dropdown). The dropdown is populating correctly from a lookup, however when I click on the time picker and click search, it gives me the error "PARSER: Applying intentions failed 'unicode' object has no attribute 'get'".

I have read on answers and tried to resolve this error, but I am unable to correct it. Could someone please look over my XML and help me:

  1. See if this is even the best way to accomplish what I want
  2. Help me correct the PARSER error

Thanks in advance

Current XML is below:

<module name="HiddenSearch" layoutPanel="viewHeader">
    <param name="search">
    sourcetype=wineventlog:security Account_Name=$username$ message=$message$ | table _time Account_Name Source_Network_Address message
  </param>
    <module name="ExtendedFieldSearch">
      <param name="replacementMap">
        <param name="arg">
          <param name="username"/>
        </param>
      </param>
      <param name="field">Domain Username</param>
      <param name="intention">
        <param name="name">stringreplace</param>
        <param name="arg">
          <param name="username">
            <param name="fillOnEmpty">True</param>
          </param>
        </param>
      </param>
      <module name="SearchSelectLister">
        <param name="staticFieldsToDisplay"/>
        <param name="search">| inputlookup domain_messages</param>
        <param name="label">Domain Event</param>
        <param name="settingToCreate">message_setting</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="value">message</param>
            <param name="label">message</param>
          </list>
        </param>
        <param name="searchWhenChanged">False</param>
        <module name="ConvertToIntention">
          <param name="settingToConvert">message_setting</param>
          <param name="intention">
            <param name="name">stringreplace</param>
            <param name="arg">
              <param name="message">
                <param name="fillOnEmpty">True</param>
                <param name="suffix"></param>
                <param name="value">$target$</param>
              </param>
            </param>
          </param>
0 Karma
1 Solution

jodros
Builder

Said screw it. Got it working with simple XML.

View solution in original post

0 Karma

jodros
Builder

Said screw it. Got it working with simple XML.

0 Karma

jodros
Builder

Early morning bump. Not even 1 taker?

0 Karma

jodros
Builder

Ok, now I need to know how to disable drilldown in a form with simple XML. Any takers?

0 Karma

jodros
Builder

Early morning bump. Any takers? If not I plan to open a ticket with support and I'll update this thread. Any assistance would be appreciated.

Thanks

0 Karma

jodros
Builder

Listing the dropdown selections in the XML is also an option. I just didn't want to populate the dropdown off of a search, as it takes too long and there are only 5-10 possible selections.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...