Hello,
I am trying to make a dashboard with a drop down for selecting between various devices logging to Splunk, a time range picker, and having the charts/tables on that dashboard change depending on what is selected. If I remove "| dedup devname" from my populating search string I get results in the drop down but there are many duplicates. With that syntax in place no results are generated in the drop down (but if I plug the syntax into my Splunk search it returns correctly). The rest of the functionality seemed to work with my dashboard that I have written so far in that once a device is select the table varies based on it and the time picker. Below is my code:
<form>
<label>Fortigate</label>
<fieldset autoRun="true">
<input type="dropdown" token="fortigate" searchWhenChanged="true">
<label>Select Device</label>
<populatingSearch fieldForValue="devname" fieldForLabel="devname">
sourcetype=fortinet | fields devname | dedup devname
</populatingSearch>
</input>
<input type="time" />
</fieldset>
<row>
<table>
<title>Top Denied</title>
<searchTemplate>sourcetype=fortinet devname="$fortigate$" rule=3000 | top dest</searchTemplate>
</table>
</row>
</form>
What can I do to remove the duplicates and still keep the same functionality? I know you can use a csv file to load the contents of the dropdown but I'd prefer something more dynamic.
Thanks
... View more