Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distinct delimiters for same input

seomaniv
Explorer
‎05-12-2020 03:23 PM

I have a dashboard that takes 3 inputs. (TimePicker, Associate, and Activity).

All items (inputs and dash panels) update based on the TimePicker, no problem.

The activity is only ever a single option (dropdown). However, the Associate is a series of checkboxes. For the dash panel, it is a simple delimiter of " OR Associate="

The problem is that the Activity dropdown also has to update based on the Associates picked, and the delimiter for the dropdown query would be different than the delimiter for the dash panel (much more complicated with a nested eval). I do not see a way to have a different delimiter - is there a way?

If not, I wonder if there is a way I can use the selections from one input to populate a second input with a different delimiter?

0 Karma
Reply

anmolpatel
Builder
‎05-12-2020 03:49 PM

@seomaniv can you please provide a sample on how the changes are to take place based on selection.

0 Karma
Reply

seomaniv
Explorer
‎05-12-2020 05:02 PM

So the dashboard's Associate panel has a query like:

index/source/host | 
search Associate="$associate$" | 
stats sum(hoursWorked) as "Hours Worked" by Associate

With a delimiter of:

" OR Associate="

If I select associates "Fred" "George" and "Ron" I would end up with a query of:

index/source/host | 
search Associate="Fred" OR Associate="George" OR Associate="Ron" | 
stats sum(hoursWorked) as "Hours Worked" by Associate

and I get a table comparing the number of hours each associate worked in the time period chosen by the time picker. However, the Activity dropdown needs to limit "hours worked" to activities that all the chosen associates have participated in during that time period, so it has a nested search:

index/source/etc. | 
search Associate="$associate$" |  
sort ActivityType | dedup ActivityType | 
eval thisActivity=if(ActivityType in [search index/source/etc. | 
search Associate="$associate$" | 
sort ActivityType | dedup ActivityType],ActivityType,"SESSION") | 
search ActivityType!="SESSION"

and in order to work then the delimiter needs to be a nested eval search:

" | 
sort ActivityType | dedup ActivityType],ActivityType,"SESSION") | 
eval thisActivity=if(ActivityType in [search index/source/host | 
search ActivityType!="SESSION" | 
search Associate="

Either one of these works independently, but I can't do both at the same time. I COULD make a separate input, but then the user would have to choose the "Associates" twice, and aside from being annoying, that can lead to them being inconsistent.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...