If a dashboard contains a dynamic dropdown, you must use a search to populate the dropdown. As the amount of data increases, the query to populate the dropdown will run more and more slowly, even from a summary index. We can use a CSV file to store just the information needed, simply adding new values when they occur.
First, we build a query to generate the CSV file. This query should be run over as much data as possible:
source="impl_splunk_gen" | stats count by user | outputcsv user_list.csv
Next, we need a query to run periodically and append any new entries to the file. Schedule this query to run periodically as a saved search:
source="impl_splunk_gen" | stats count by user | append [inputcsv user_list.csv] | stats sum(count) as count by user | outputcsv user_list.csv
To then use this in our dashboard, our populating query will simply be:
|inputcsv user_list.csv
A simple dashboard XML using this query would look like the following:
<input type="dropdown" token="sourcetype"> <label>User</label> <populatingSearch fieldForValue="user" fieldForLabel="user"> |inputcsv user_list.csv </populatingSearch> </input>