Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dropdown is not populated when using base search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am not sure if I understand how base search is really working as I am having an issue with following code (see below). From what I found base search creates base of the search that you can reuse in other queries to not repeat yourself. I though that in first example query index=_internal | head 100 | stats count by component will run for dropdown but it doesn't., it looks like only index=_internal | head 100 search runs and I have no idea why.
At first I am trying to run it on basic example but I will need to use base search to populate multiple dropdowns.
Can anyone please identify what is wrong with my code?
In this case dropdown is not populated with different component values.
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 </query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query>| stats count by component</query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
While in this case dropdown is populated with different component values.
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 | stats count by component</query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query></query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@seva98
Take only those fields in your base search which are required in other searches. Like dropdown search I'm suggesting to add | fields component in base search.
index=_internal | head 100 | fields component
If you need other fields just add into search.
And yes I've removed extra pipe from dropdown search.
Can you please try below search??
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 | fields component </query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query>stats count by component</query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@seva98
Take only those fields in your base search which are required in other searches. Like dropdown search I'm suggesting to add | fields component in base search.
index=_internal | head 100 | fields component
If you need other fields just add into search.
And yes I've removed extra pipe from dropdown search.
Can you please try below search??
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 | fields component </query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query>stats count by component</query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to help you @seva98
Happy Splunking
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
