hi hindoo,
you said one source with source = "192.168.1.203" ,
it is likely that there is no result for this uique source in real time. try to select all sources with source = * and check if there will not always results. and if it works, you could create a dropdown where the user can select a particular source.
if you want to get all the results you have to write |top limit = 0 , to generalize, you might have a code like this:
<form>
<label>---------------------------------------</label>
<description>---------------------</description>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="source" searchWhenChanged="true">
<label>Select a source:</label>
<default>*</default>
<choice value="*">All</choice>
<populatingSearch fieldForValue="source" fieldForLabel="source" >
<![CDATA[sourcetype=syslog | stats count by source]]>
</populatingSearch>
</input>
</fieldset>
<row>
<table>
<title>Inline Search Table</title>
<search>
<query> sourcetype= syslog source= $source$ | top limit=10</query>
<earliest>rt-30s</earliest>
<latest>rt</latest>
</search>
</table>
</row>
</form>
please forgive my english.
... View more