When creating a search using pivot/data model, I can add a filter that looks something like:
FILTER Brand in (brand1,brand2,brand3) or FILTER Brand in (*) as default value
When running a regular search to filter by brand, the search would need to look something like:
search (Brand=brand1 OR Brand=brand3 OR Brand=brand3)
In my dashboard, I have a bunch of panels that use the pivot/data model. I also have multiple multiselect filters (that are dependent on another) for the dashboard that currently use pivot, but to make things run a little faster, I would like to use regular searches to populate the multiselect filter values.
Is there a way to pull the token value of the multiselect form which is delimited by
,, pass it into another token, and replace the comma delimiter with a new one, which would be
For example, if the multiselect form is currently set up to pass value as
(brand1,brand2,brand3), I would like to copy this token value and pass it into a new token value as
(Brand=brand1 OR Brand=brand2 OR Brand=brand3)
thanks ahead of time.
If I didn't misunderstand your intention, you could get the whole result in one go with one multiselect. Define Token Prefix as
(, Token Suffix as
), Token Value Prefix as
Brand= and Delimiter as
OR (that's space, OR, space). The resulting token should look like
(Brand=value1 OR Brand=value2 ...)
which could already be what you need.
Oh and on a side note, it might be useful to define quotes around your values in case they can contain non-alphanumerics. That'll require Token Value Prefix as
Brand=" and one of either Delimiter as
" OR or Token Value Suffix as
i would like to use the Token from one multiselect for two different types of queries - 1) one for pivot query and 2) regular SPLUNK query.
Rather than creating 2 multiselect inputs for the Brand parameter, i would like to have one input that would populate both types of queries in. The reason i'm using two types is because pivot queries are essential for creating the majority of the the panels, but in some rare instance, i just need to get a list of all rows (in this case Brand) without doing a count on it (which pivot would automatically do). Using a regular splunk query to search for all unique brands would run a lot faster than getting a list of all brands with calculated hit count.
How do you get a list of brands without any statistic function, of which count is the easiest? List and dedup is more expensive.
Jeffland, thank you for your input! Sound like you're recommending an accelerated pivot table over list and dedup. I greatly appreciate the input.
I had same issue. You can use the Delimiter as OR Brand= . After passing this delimiter, your query will look like below.
| search Brand=brand1 OR Brand=brand3 OR Brand=brand3