I'm trying to determine how to allow users to enter a range of values as an input on a dashboard, and assign as a token
Would like extract the values and use them with the IN command
Any help is greatly appreaciated!
I think using the mvrange function will come in handy here. Assuming that you call the token for that input $skills$, then i think something like this should work. This would be a search element in your dashboard - which you would then set a new token value to the nums field this creates.
This will essentially split the input by semicolon, then put each of those in their own events, determine the start/end values for each of them, create all of the numbers with mvrange and then put the whole thing back together to be used with the IN operator.
Not tested at all with a dashboard, but hopefully gets you to where you're trying to go.
| stats count
| input = split($skills$,";")
| mvexpand input
| eval input = split(trim(input),"-")
| eval start = if(mvcount(input)=2,mvindex(input,0),input), end = if(mvcount(input)=2,mvindex(input,1),input)
| eval nums = mvrange(start,end+1)
| fields nums
| mvexpand nums
| mvcombine nums
| eval nums = "(" + mvjoin(nums,",") + ")"
I think using the mvrange function will come in handy here. Assuming that you call the token for that input $skills$, then i think something like this should work. This would be a search element in your dashboard - which you would then set a new token value to the nums field this creates.
This will essentially split the input by semicolon, then put each of those in their own events, determine the start/end values for each of them, create all of the numbers with mvrange and then put the whole thing back together to be used with the IN operator.
Not tested at all with a dashboard, but hopefully gets you to where you're trying to go.
| stats count
| input = split($skills$,";")
| mvexpand input
| eval input = split(trim(input),"-")
| eval start = if(mvcount(input)=2,mvindex(input,0),input), end = if(mvcount(input)=2,mvindex(input,1),input)
| eval nums = mvrange(start,end+1)
| fields nums
| mvexpand nums
| mvcombine nums
| eval nums = "(" + mvjoin(nums,",") + ")"
Ok, finally got back to giving this a shot. Great news is that the logic works, but now I'm trying to figure out how set a token with the extracted value to be used with the IN operator.
How can I take the value of 'nums' and set a token with those results?
Thanks!
I think you should be able to set it in your search element during the finalized (or done or whatever) phase. In the splunk docs, these options can be found under "search event handlers" or something like that. So pseudo'ish dashboard xml might look like this.
<search>
<query>
. that
. long
. search
</query>
<finalized>
<set token="skill_list">$result.nums$</set>
</finalized>
</search>
.
.
.
<row>
<panel>
<table>
<search>
<query>index=whatever AND skill IN $skill_list$ .... </query>
</search>
</table>
</panel>
</row>
Great, thanks. Will give it a shot and let you know.
Thanks! Will give it a try.
@ryan_mercer if you are trying to accept Input From a user this guy has some really good examples on how to do that.
https://github.com/JasonConger/SplunkConf18
I was able to make something like this from his examples. Not sure if this is what you're going for.
-Marco
Will check it out, thanks!