Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

drop down list population with extracted search fields

santoshbala
Engager
‎05-22-2013 05:07 PM

I'm trying to populate my drop down list with extracted fields of a search, most examples I've seen on splunkbase explain it quite well, but I don't think I'm getting the syntax right, how do I set the 'fields' as the token to pass to my populating search? I currently have this:

<! -- default search to assign tokens --->



index=main host=gridnames | fields gridnames | dedup gridnames <!- set $grid$ here: HOW?>









<![CDATA[index="main" host=gridnames| fields grid | dedup grid]]>



default



I know I'm not setting $grid$ in the searchtemplate, but how do I do it for the field gridnames?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎05-22-2013 07:16 PM

The searchtemplate element is for the main search you want to run in the dashboard. The search to get the list of values to display in the dropdown is the body of the populating search element.


<searchtemplate>big_search_here grid=$grid$</searchtemplate>
<fieldset>
<input type="dropdown" token="grid">
<populatingSearch fieldForLabel="gridnames" fieldforValue="gridnames"> index=main host=gridnames | fields gridnames | dedup gridnames</populatingSearch>
</input>
</fieldset>

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎05-22-2013 07:16 PM

The searchtemplate element is for the main search you want to run in the dashboard. The search to get the list of values to display in the dropdown is the body of the populating search element.


<searchtemplate>big_search_here grid=$grid$</searchtemplate>
<fieldset>
<input type="dropdown" token="grid">
<populatingSearch fieldForLabel="gridnames" fieldforValue="gridnames"> index=main host=gridnames | fields gridnames | dedup gridnames</populatingSearch>
</input>
</fieldset>

Reply
Solved! Jump to solution

santoshbala
Engager
‎05-22-2013 08:34 PM

Brilliant! Works a treat! thanks a lot!

For anyone else looking:

<searchTemplate>

index=main host=gridnames | fields $grid$ | dedup $grid$ 

<fieldset>




<![CDATA[index="main" host=gridnames| fields gridnames | dedup gridnames]]>

testabooga

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...