Splunk Search

legacy notation: populating search for populating a tickbox input.

HattrickNZ
Motivator

I have the following bit of code that does a search. The results of that search populates a tickbox input. I wrote it a while ago but now it is giving me a validation warning legacy notation: populating search.

So the issue is populatingSearch. Can anyone tell me a better way of doing this? I presume it has to do with my current splunk being a newer version than when I wrote this? So I just want to know what the equivalent is on the newer version?

    <input type="checkbox" token="apn" searchWhenChanged="true"> <!-- checkbox dropdown --> 
      <label>Select a APN:</label>
      <default>internet</default>
      <!-- <choice value="*">All</choice> --> 
      <!-- The final value will be surrounded by prefix and suffix -->
      <prefix>(</prefix>
      <suffix>)</suffix>
      <!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
      <valuePrefix>APN="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
      <delimiter> OR </delimiter>
      <populatingSearch fieldForValue="APN" fieldForLabel="APN" earliest="-24h" latest="now">
        <![CDATA[index=X ... | stats  sum(KPI1) as "KPINAME" by APN ]]>
      </populatingSearch>
    </input>

using splunk 6.5.0

EDIT1

Just revisting this.

In the links provided below by X, I can see this example of an input tag being filled using populatingSearch, but it also says taht it is deprecated Deprecated: Use the <search> element as a child of an input element to dynamically populate choices for a form input.

<input type="dropdown" token="source_tok" searchWhenChanged="true">
  <label>Select a source type</label>
  <choice value="*">All</choice>
  <populatingSearch earliest="-24h@h" latest="now"
        fieldForLabel="sourcetype" fieldForValue="sourcetype">
           index=_internal | stats count by sourcetype
  </populatingSearch>
  <prefix>sourcetype="</prefix>
  <suffix>"</suffix>
  <default>*</default>
</input>

How do I write the above using a search tag as the child of input, as opposed to using populateSearch
I was thinking along the lines of something like this, but I have so far not got it working. Can anyone advise?

<input type="dropdown" token="source_tok2" searchWhenChanged="true">
  <label>Select a source type 2</label>
  <choice value="*">All</choice>
  <search>
           <query>
             index=_internal | stats count by sourcetype
          </query>
  </search>
  <default>*</default>
</input>
Tags (1)
0 Karma

koshyk
Super Champion

Putting an example to make it simpler

  • good practice to put "_tok" in the token name, so it is not confused with field/label names
  • also try to query wrapped in CDATA just to ensure double quotes, arrow symbols won't cause problems
  • uses "search" rather than the deprecated "populatingSearch" notation
  • and is a working dashboard (to try out)

sample code

<form>
  <label>REMOVE THIS DASHBOARD ANYTIME</label>
  <description>Some Description</description>
  <fieldset autoRun="false">
    <input type="dropdown" token="sourcetype_tok" searchWhenChanged="false">
      <label>label_name</label>
      <choice value="*">All</choice>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
      <query>
        <![CDATA[index=_internal | stats count by sourcetype
        ]]>
      </query>
      <earliest>$timeSpan.earliest$</earliest>
      <latest>$timeSpan.latest$</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
    </input>
    <input type="time" token="timeSpan">
      <label>Time Picker</label>
      <default>
        <earliest>-1h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Event Details</title>
        <search>
          <query>
          <![CDATA[index=_internal sourcetype=$sourcetype_tok$
            | head 1000
            | table _time,index,sourcetype,source,_raw
            ]]>
          </query>
        <earliest>$timeSpan.earliest$</earliest>
        <latest>$timeSpan.latest$</latest>
        </search>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
</form>

oumukoro
Engager

I have this same issue with Splunk 7.0 enterprise. Is there a fix for this? I don't know much of XML to fix this

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's the 6.2 note about the deprecated populating search. According to the new architecture, that element's function is now accomplished by writing a search for a child element.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#populatingSearc...

It's on the same page, but here's a direct link for the search element you use instead...

http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#Search_element

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...