Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to populate dropdown input with ids from search?

vtsguerrero
Contributor
‎07-17-2014 08:11 AM

Can anyone please help me to populate a Dropdown input with the ids from this this search:
index=main sourcetype=mainperfomance ChannelCode="*"
I need to make a table that auto searches registers within the selected channels...

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:27 PM

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command). 

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>

View solution in original post

Reply
Solved! Jump to solution

ThomasControlw1
Explorer
‎05-10-2017 03:54 AM

thanks for this soulution, works perfekt

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:27 PM

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command). 

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:32 PM

If you're using latest version of Splunk, much of the work (creating the form, adding the dropdown, adding a populating search, etc) can be done via the UI's dashboard editor. Additionally, this app has many great Simple XML dashboard examples: http://apps.splunk.com/app/1603/

Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top