- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the best method for managing a list of fields that will be used to populate (at least, but not limited to) a Pulldown, and search that ends in a Table command.
I've heard of lookups but not too familiar with them.
Any other ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First thing to point out, this is a great thing to think about. Its terrible when you realize that the reason for inconsistencies is because your column were defined in multiple locations.
Hopefully, there is a better way of doing this, but the way I have done this in the past is by using macros.
First define a no argument macro that provides the column names
(name=blotter_columns)
A B C D E
This macro will be utilized by the search query that produces the table and the macro that helps produce the pulldown.
This macro -
(name=order_columns)
index=my_index | head 1 | table `blotter_columns` | transpose | table column | sort column
In the dashboard xml definition:
<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">`order_columns`</param>
<module name="Pulldown">
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer @gregbujak. That does actually provide a fairly straightforward way of keeping a centralized list.
Now that search to populate the Pulldown takes at least 1 second to run more like 1.5 seconds. So all things considered it isn't very efficient. For the Table search it works like a charm though.
I'd love to hear if there are any other ideas out there on how this is done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First thing to point out, this is a great thing to think about. Its terrible when you realize that the reason for inconsistencies is because your column were defined in multiple locations.
Hopefully, there is a better way of doing this, but the way I have done this in the past is by using macros.
First define a no argument macro that provides the column names
(name=blotter_columns)
A B C D E
This macro will be utilized by the search query that produces the table and the macro that helps produce the pulldown.
This macro -
(name=order_columns)
index=my_index | head 1 | table `blotter_columns` | transpose | table column | sort column
In the dashboard xml definition:
<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">`order_columns`</param>
<module name="Pulldown">
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer @gregbujak. That does actually provide a fairly straightforward way of keeping a centralized list.
Now that search to populate the Pulldown takes at least 1 second to run more like 1.5 seconds. So all things considered it isn't very efficient. For the Table search it works like a charm though.
I'd love to hear if there are any other ideas out there on how this is done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Create a flat file with all the fields with every field in a different line prefixed by the text "fieldname=".
Index that file in Splunk and you then create a search that will be used to populate a pulldown or even specify as an arguments to a command via sub search.
Let me know if that helps.
Regards,
Amit Saxena
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I agree with you on that it's not the best solution
Regards,
Amit Saxena
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's an interesting solution. Though wouldn't it become fairly inefficient as time went by and you are searching all-time for those indexed values?
Also, how would you modify existing entries? You'd have to delete the indexed value and re-index the flat file with the changes. Seems a bit of a hassle for something that should be fairly straight forward.
![](/skins/images/5D2DD17C284106BFBF80528D01D8AA1A/responsive_peak/images/icon_anonymous_message.png)