Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dropdown is not populated when using base search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am not sure if I understand how base search is really working as I am having an issue with following code (see below). From what I found base search creates base of the search that you can reuse in other queries to not repeat yourself. I though that in first example query index=_internal | head 100 | stats count by component will run for dropdown but it doesn't., it looks like only index=_internal | head 100 search runs and I have no idea why.
At first I am trying to run it on basic example but I will need to use base search to populate multiple dropdowns.
Can anyone please identify what is wrong with my code?
In this case dropdown is not populated with different component values.
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 </query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query>| stats count by component</query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
While in this case dropdown is populated with different component values.
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 | stats count by component</query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query></query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@seva98
Take only those fields in your base search which are required in other searches. Like dropdown search I'm suggesting to add | fields component in base search.
index=_internal | head 100 | fields component
If you need other fields just add into search.
And yes I've removed extra pipe from dropdown search.
Can you please try below search??
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 | fields component </query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query>stats count by component</query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@seva98
Take only those fields in your base search which are required in other searches. Like dropdown search I'm suggesting to add | fields component in base search.
index=_internal | head 100 | fields component
If you need other fields just add into search.
And yes I've removed extra pipe from dropdown search.
Can you please try below search??
<form>
<label>Energy Consumers Overview</label>
<description>Short summary of top/worst performing energy consumers.</description>
<search id="base_search">
<query>index=_internal | head 100 | fields component </query>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_range_picker">
<label></label>
<default>
<earliest>-4h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="component" searchWhenChanged="false">
<label>Werk</label>
<search base="base_search">
<query>stats count by component</query>
</search>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
</form>
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to help you @seva98
Happy Splunking
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
