Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Distinct delimiters for same input
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Distinct delimiters for same input
I have a dashboard that takes 3 inputs. (TimePicker, Associate, and Activity).
All items (inputs and dash panels) update based on the TimePicker, no problem.
The activity is only ever a single option (dropdown). However, the Associate is a series of checkboxes. For the dash panel, it is a simple delimiter of " OR Associate="
The problem is that the Activity dropdown also has to update based on the Associates picked, and the delimiter for the dropdown query would be different than the delimiter for the dash panel (much more complicated with a nested eval). I do not see a way to have a different delimiter - is there a way?
If not, I wonder if there is a way I can use the selections from one input to populate a second input with a different delimiter?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@seomaniv can you please provide a sample on how the changes are to take place based on selection.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the dashboard's Associate panel has a query like:
index/source/host |
search Associate="$associate$" |
stats sum(hoursWorked) as "Hours Worked" by Associate
With a delimiter of:
" OR Associate="
If I select associates "Fred" "George" and "Ron" I would end up with a query of:
index/source/host |
search Associate="Fred" OR Associate="George" OR Associate="Ron" |
stats sum(hoursWorked) as "Hours Worked" by Associate
and I get a table comparing the number of hours each associate worked in the time period chosen by the time picker. However, the Activity dropdown needs to limit "hours worked" to activities that all the chosen associates have participated in during that time period, so it has a nested search:
index/source/etc. |
search Associate="$associate$" |
sort ActivityType | dedup ActivityType |
eval thisActivity=if(ActivityType in [search index/source/etc. |
search Associate="$associate$" |
sort ActivityType | dedup ActivityType],ActivityType,"SESSION") |
search ActivityType!="SESSION"
and in order to work then the delimiter needs to be a nested eval search:
" |
sort ActivityType | dedup ActivityType],ActivityType,"SESSION") |
eval thisActivity=if(ActivityType in [search index/source/host |
search ActivityType!="SESSION" |
search Associate="
Either one of these works independently, but I can't do both at the same time. I COULD make a separate input, but then the user would have to choose the "Associates" twice, and aside from being annoying, that can lead to them being inconsistent.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
