Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: legacy notation: populating search for popula...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
legacy notation: populating search for populating a tickbox input.
I have the following bit of code that does a search. The results of that search populates a tickbox input. I wrote it a while ago but now it is giving me a validation warning legacy notation: populating search.
So the issue is populatingSearch. Can anyone tell me a better way of doing this? I presume it has to do with my current splunk being a newer version than when I wrote this? So I just want to know what the equivalent is on the newer version?
<input type="checkbox" token="apn" searchWhenChanged="true"> <!-- checkbox dropdown -->
<label>Select a APN:</label>
<default>internet</default>
<!-- <choice value="*">All</choice> -->
<!-- The final value will be surrounded by prefix and suffix -->
<prefix>(</prefix>
<suffix>)</suffix>
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
<valuePrefix>APN="</valuePrefix>
<valueSuffix>"</valueSuffix>
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
<delimiter> OR </delimiter>
<populatingSearch fieldForValue="APN" fieldForLabel="APN" earliest="-24h" latest="now">
<![CDATA[index=X ... | stats sum(KPI1) as "KPINAME" by APN ]]>
</populatingSearch>
</input>
using splunk 6.5.0
EDIT1
Just revisting this.
In the links provided below by X, I can see this example of an input tag being filled using populatingSearch, but it also says taht it is deprecated Deprecated: Use the <search> element as a child of an input element to dynamically populate choices for a form input.
<input type="dropdown" token="source_tok" searchWhenChanged="true">
<label>Select a source type</label>
<choice value="*">All</choice>
<populatingSearch earliest="-24h@h" latest="now"
fieldForLabel="sourcetype" fieldForValue="sourcetype">
index=_internal | stats count by sourcetype
</populatingSearch>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
<default>*</default>
</input>
How do I write the above using a search tag as the child of input, as opposed to using populateSearch
I was thinking along the lines of something like this, but I have so far not got it working. Can anyone advise?
<input type="dropdown" token="source_tok2" searchWhenChanged="true">
<label>Select a source type 2</label>
<choice value="*">All</choice>
<search>
<query>
index=_internal | stats count by sourcetype
</query>
</search>
<default>*</default>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Putting an example to make it simpler
- good practice to put "_tok" in the token name, so it is not confused with field/label names
- also try to query wrapped in CDATA just to ensure double quotes, arrow symbols won't cause problems
- uses "search" rather than the deprecated "populatingSearch" notation
- and is a working dashboard (to try out)
sample code
<form>
<label>REMOVE THIS DASHBOARD ANYTIME</label>
<description>Some Description</description>
<fieldset autoRun="false">
<input type="dropdown" token="sourcetype_tok" searchWhenChanged="false">
<label>label_name</label>
<choice value="*">All</choice>
<selectFirstChoice>true</selectFirstChoice>
<search>
<query>
<![CDATA[index=_internal | stats count by sourcetype
]]>
</query>
<earliest>$timeSpan.earliest$</earliest>
<latest>$timeSpan.latest$</latest>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
</input>
<input type="time" token="timeSpan">
<label>Time Picker</label>
<default>
<earliest>-1h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Event Details</title>
<search>
<query>
<![CDATA[index=_internal sourcetype=$sourcetype_tok$
| head 1000
| table _time,index,sourcetype,source,_raw
]]>
</query>
<earliest>$timeSpan.earliest$</earliest>
<latest>$timeSpan.latest$</latest>
</search>
<option name="count">20</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this same issue with Splunk 7.0 enterprise. Is there a fix for this? I don't know much of XML to fix this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the 6.2 note about the deprecated populating search. According to the new architecture, that element's function is now accomplished by writing a search for a child element.
It's on the same page, but here's a direct link for the search element you use instead...
http://docs.splunk.com/Documentation/Splunk/6.2.0/Viz/PanelreferenceforSimplifiedXML#Search_element
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
