Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to populate dropdown input with ids from search?

vtsguerrero
Contributor
‎07-17-2014 08:11 AM

Can anyone please help me to populate a Dropdown input with the ids from this this search:
index=main sourcetype=mainperfomance ChannelCode="*"
I need to make a table that auto searches registers within the selected channels...

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:27 PM

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command). 

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>

View solution in original post

Reply
Solved! Jump to solution

ThomasControlw1
Explorer
‎05-10-2017 03:54 AM

thanks for this soulution, works perfekt

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:27 PM

A quick way would be to populate the drop down from a populatingSearch (below). This example terminates the populating search once 1000 values are retrieved (via the "head 1000" command). 

<form>
  <label>populate_dropdown_from_search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="channel_code">
      <label>Name:</label>
      <populatingSearch fieldForLabel="name" fieldForValue="name">index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count</populatingSearch>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <searchString>index=main sourcetype=mainperfomance ChannelCode=$channel_code$</searchString>
        <earliestTime/>
        <latestTime/>
      </event>
    </panel>
  </row>
</form>

A more robust solution is to define a lookup and then create a scheduled saved search that updates that lookup file. That file is updated by a search similar to the populating search. The lookup can then be used to populate the dropdown box quickly. Using a search that appends the lookup with new values makes the list more robust over time:

index=main sourcetype=mainperfomance ChannelCode=* 
| inputlookup append=t channel_codes
| stats count by ChannelCode
| fields - count
| outputlookup channel_codes

...then you would modify the dashboard to load the results from that looup file:

  <populatingSearch fieldForLabel="name" fieldForValue="name">| inputlookup channel_codes</populatingSearch>
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎07-17-2014 04:32 PM

If you're using latest version of Splunk, much of the work (creating the form, adding the dropdown, adding a populating search, etc) can be done via the UI's dashboard editor. Additionally, this app has many great Simple XML dashboard examples: http://apps.splunk.com/app/1603/

Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...