**I want to preface with the fact that I am a total noob at Splunk, so please bear with me.**
I am trying to make a dashboard that shows the on-call for each organization/team. It lists their name, contact info, the start of when they are on call, and the end of when they are on call.
**Ex of what it should look like:** (Select org(s): abc )
| org | team | username | OnCallStart | OnCallEnd | | -------- | -------- ---| ------------- | ------------------------------------ | ------------------------------------ | | abc | aa-team | bob2 | 2023-05-01T08:00:00-7:00 | 2023-05-02T08:00:00-7:00 |
**The issue is (other than me not being able to figure out how to get their respective teams listed currently) is that it looks more like this:** *(ignore the dates being the exact same, just giving an idea of the format)*
| org | team | username | OnCallStart | OnCallEnd | | -------- | --------- | -------- ---- | -------- ----------------------------| ------------------------------------ | | abc | | bob2 | 2023-05-01T08:00:00-7:00 | 2023-05-02T08:00:00-7:00 | | 123 | | | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | | | | | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | | | | | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | | | | | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | | | | | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | | | | | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | | | | | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 |
I have a multiselect option with a submit button so that I can filter by orgs, however if for example I filtered by "abc" org, it would show bob2 but have both "abc" and "123" orgs listed.
How can I control the orgs shown when a user is a part of multiple orgs? How can I limit the number of oncallstart and oncallend times listed to a single line that correlates to the particular org that it matches with?
I tried seeing if I could use something like | head 1 But that doesn't seem to be what I want based on this: https://docs.splunk.com/Documentation/SCS/current/SearchReference/HeadCommandOverview#How_the_head_command_works
I don't know where to locate props.conf to use something like TRUNCATE, not even sure if that's what should be used in this instance or not. https://community.splunk.com/t5/Getting-Data-In/Size-limit-for-an-event/m-p/16410
I considered limiting in the source code by using something like <option name ="count">1</option> but that just limits it to show one user per page, still listing the multiple orgs (despite filtering for a particular one) and the multiple start and end times.
Would it be some kind of query parameter? https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/dsOpt
... View more