Splunk Search

Dropdown is not populated when using base search

seva98
Path Finder

Hi,

I am not sure if I understand how base search is really working as I am having an issue with following code (see below). From what I found base search creates base of the search that you can reuse in other queries to not repeat yourself. I though that in first example query index=_internal | head 100 | stats count by component will run for dropdown but it doesn't., it looks like only index=_internal | head 100 search runs and I have no idea why.

At first I am trying to run it on basic example but I will need to use base search to populate multiple dropdowns.

Can anyone please identify what is wrong with my code?

In this case dropdown is not populated with different component values.

<form>
  <label>Energy Consumers Overview</label>
  <description>Short summary of top/worst performing energy consumers.</description>
  <search id="base_search">
    <query>index=_internal | head 100 </query>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time_range_picker">
      <label></label>
      <default>
        <earliest>-4h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="component" searchWhenChanged="false">
      <label>Werk</label>
      <search base="base_search">
        <query>| stats count by component</query>
      </search>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
</form>

While in this case dropdown is populated with different component values.

<form>
  <label>Energy Consumers Overview</label>
  <description>Short summary of top/worst performing energy consumers.</description>
  <search id="base_search">
    <query>index=_internal | head 100 | stats count by component</query>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time_range_picker">
      <label></label>
      <default>
        <earliest>-4h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="component" searchWhenChanged="false">
      <label>Werk</label>
      <search base="base_search">
        <query></query>
      </search>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
</form>
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@seva98

Take only those fields in your base search which are required in other searches. Like dropdown search I'm suggesting to add | fields component in base search.

index=_internal | head 100 | fields component

If you need other fields just add into search.

And yes I've removed extra pipe from dropdown search.

Can you please try below search??

<form>
   <label>Energy Consumers Overview</label>
   <description>Short summary of top/worst performing energy consumers.</description>
   <search id="base_search">
     <query>index=_internal | head 100 | fields component </query>
   </search>
   <fieldset submitButton="false" autoRun="true">
     <input type="time" token="time_range_picker">
       <label></label>
       <default>
         <earliest>-4h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="component" searchWhenChanged="false">
       <label>Werk</label>
       <search base="base_search">
         <query>stats count by component</query>
       </search>
       <fieldForLabel>component</fieldForLabel>
       <fieldForValue>component</fieldForValue>
       <choice value="*">All</choice>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
   </fieldset>
 </form>

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@seva98

Take only those fields in your base search which are required in other searches. Like dropdown search I'm suggesting to add | fields component in base search.

index=_internal | head 100 | fields component

If you need other fields just add into search.

And yes I've removed extra pipe from dropdown search.

Can you please try below search??

<form>
   <label>Energy Consumers Overview</label>
   <description>Short summary of top/worst performing energy consumers.</description>
   <search id="base_search">
     <query>index=_internal | head 100 | fields component </query>
   </search>
   <fieldset submitButton="false" autoRun="true">
     <input type="time" token="time_range_picker">
       <label></label>
       <default>
         <earliest>-4h</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="component" searchWhenChanged="false">
       <label>Werk</label>
       <search base="base_search">
         <query>stats count by component</query>
       </search>
       <fieldForLabel>component</fieldForLabel>
       <fieldForValue>component</fieldForValue>
       <choice value="*">All</choice>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
   </fieldset>
 </form>

Thanks

seva98
Path Finder

Worked, thanks!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Glad to help you @seva98

Happy Splunking

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...