<form>
  <label>CIS - Investigate Sourcetype (v 1.0)</label>
  <description>CIS Analytics | Corporate Information Security</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="myindex" searchWhenChanged="true">
      <label>Available Indexes</label>
      <populatingSearch fieldForLabel="index" fieldForValue="index">| tstats values(sourcetype) AS st where index=* by index  | fields - st<query>| tstats values(sourcetype) AS st where index=* by index  | fields - st</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </populatingSearch>
      <fieldForLabel>index</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <default>afco</default>
      <initialValue>afco</initialValue>
    </input>
    <input type="dropdown" token="mysourcetype" searchWhenChanged="true">
      <label>Available Sourcetypes</label>
      <populatingSearch fieldForLabel="sourcetype" fieldForValue="sourcetype">| tstats values(sourcetype) AS st where index=$myindex$ by sourcetype  | fields - st<query>| tstats values(sourcetype) AS st where index=$myindex$ by sourcetype  | fields - st</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </populatingSearch>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <default>afco:db:events</default>
      <initialValue>afco:db:events</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Fields and sample values for Sourcetype: $mysourcetype$ in $myindex$</title>
      <table>
        <search>
          <query>index=$myindex$ sourcetype=$mysourcetype$ | fieldsummary maxvals=1 | rex field=values "value\"\:\"(?&lt;Sample_Value&gt;.+)\"\," | eval index="$myindex$" | eval sourcetype="$mysourcetype$" | where Sample_Value!="" |fields field Sample_Value index sourcetype | stats list(field) AS "Field Name" list(Sample_Value) AS "Sample Value" by index sourcetype</query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="dataOverlayMode">none</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_self">/app/cisa_sh_moswos/index_based?form.myindex=$row.index$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>