In you documentation you have a document about form searches
http://www.splunk.com/doc/3.1.4/admin/FormSearch
And an example is given like the following
$TradeType=Accepted,Rejected,Hold$
This will give me a drop down in my search that gives me these three options in a dropdown.
I want to do the EXACT same thing accept instead of manually entering all the IDs. I Use my field I have created.
As I have mentioned. The field works PERFECT. It shows up in the field section. When selected it shows me the top 10 ID's with the most alerts and finds all 55 other ids that exist in the logs.
I have not included my event logs, as they are no required, as I already know the regex is working fine.
transform.conf
[registrar_id]
REGEX = (WARN|ERROR) (\d\d\d\d-[A-Z]+)
FORMAT = registrar_id::$2
DEST_KEY = _meta
props.conf
[log4j]
REPORT-registrarid = registrar_id
Any hints or help would be greatly appreciated!