Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to populate dropdown input with ids from search?

vtsguerrero
Contributor
‎07-17-2014 08:11 AM

Can anyone please help me to populate a Dropdown input with the ids from this this search:
index=main sourcetype=mainperfomance ChannelCode="*"
I need to make a table that auto searches registers within the selected channels...

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:27 PM

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command). 

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>

View solution in original post

Reply
Solved! Jump to solution

ThomasControlw1
Explorer
‎05-10-2017 03:54 AM

thanks for this soulution, works perfekt

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:27 PM

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command). 

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:32 PM

If you're using latest version of Splunk, much of the work (creating the form, adding the dropdown, adding a populating search, etc) can be done via the UI's dashboard editor. Additionally, this app has many great Simple XML dashboard examples: http://apps.splunk.com/app/1603/

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top