I have a csv file that tracks firewall rule hits. I would like to create a form that reads the csv and populates a drop down menu that allows the user to select a field extracted via rex which will populate a larger search from the same csv.
The rule_name field may have a 4 character (alpha numeric)identified that will define a group responsible for those rules. That is the field I want to show in the dropdown field.
here is the form code that I want to use, however splunk spits back an invalid XML message.
As far as i can tell the xml is valid (no broken tags), is it the rex command that causes the error?
<form>
<label>Code Rule Search</label>
<searchTemplate>| inputlookup pp-fw-rule-tracker appcode=$appcode$ | table rule_name,cluster | sort cluster desc</searchTemplate>
<fieldset>
<input type="dropdown" token="appcode">
<label>select appcode</label>
<choice value="*">All</choice>
<populatingSearch fieldForValue="appcode" fieldForLabel="appcode">| inputlookup pp-fw-rule-tracker |rex field=rule_name "(?<appcode>^[\"]{0,1}[a-zA-Z\d]{4})-" | dedup appcode |table appcode</populatingSearch>
</input>
</fieldset>
<row>
<table>
<title>Rules matching Appcode from Tracker CSV</title>
</table>
</row>
</form>
... View more