Passing a field as a variable array

All Apps and Add-ons

I am trying to recreate a report from MS Access in Splunk - basically in order to move away from Access completely.

I am using db connect to search various databases and I have my searches correct but I cannot figure out how to pass the fields I am getting to create a whole new dashboard panel.

I hope this illustrates what I am attempting (and who knows, maybe there's an add-on to help with this I am unaware of?).

[time picker]
Search1 Fields from db1:
[date/time(based on time picker)][Location][Total1]
Search2 Fields from db2:
[date/time(based on time picker)][Location][Total2]
Search3 Fields from db3:
[date/time(based on time picker)][Location][Total3]

Need to have a new dashboard based on these quantities...
New Dashboard:
[date/time(based on time picker][Location(should match from all 3 searches)][Difference in totals]

Tokens seem to require specific values and I am not sure how mapping would work here.

Get Updates on the Splunk Community!

Passing a field as a variable array

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation

Passing a field as a variable array

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition