Hi lakromani.

You probably need this:

index=_internal user=* | timechart count by user limit=10 | search radio= \"$radio$\" 

Perfect. This did what I was looking for. Since the $radio$ was used elsewhere in the script I could not change it.

But I still do not understand why I can not set the $aggrQuery$ within the panel section of the Dashboard. This could be added by the Splunk guys 🙂

Splunk has a map command where you can recursively execute SPL for selected field. (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map). I have used makeresults but you can use timechart instead.

  <fieldset>
   <input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="Dot11Radio0">2.4 GHz</choice>
   <choice value="Dot11Radio1">5.0 Ghz</choice>
   <default>*</default>
 </input>
 </fieldset>

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval aggrQuery=case("$radio$"=="Dot11Radio0","avg(low) AS 2.4GHz","$radio$"=="Dot11Radio1","avg(high) AS 5.0Ghz",true(),"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
| map search="| makeresults | eval UseMappedresult=\"$aggrQuery$\""</query>
          <sampleRatio>1</sampleRatio>
        </search>

What if you just made the choice value be what you eval to in your query and pass that as a token?

<input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="avg(low) AS 2.4GHz">2.4 GHz</choice>
   <choice value="avg(high) AS 5.0Ghz">5.0 Ghz</choice>
   <default>*</default>
 </input>

<query>source="snmp://Cisco-Wifi-clients"
             | timechart $radio$</query>

Problem is that I use $radio$ other places in my config, and it's value can not be changed.