Reporting

Using OR in a pivot query

angersleek
Path Finder

I have a data set with following query and it is saved as "model_requests"

(service=service* OR (service=Aservice* AND app_name=app*)) some_other_fields=*

Under my dash boards I have a single value chart with following query:

| pivot model_requests RootObject count(RootObject) AS "Count of Requests" FILTER service in $service_token$

$service_token$ points to a drop down in the dashboard, which has different service names or * which is a list of a set of services.
Example drop down options under static options:

Name         Value
*            (Service1, Service2)
Service1     Service1
Service2     Service2

I have added a new drop down for app_name and its token name is $app_token$ as follows:

Name     Value
*        (app1, app2)
app1     app1
app2     app2

In the pivot query, I am looking to have an OR in it to choose between the tokens service_token and app_token (Either or, both tokens data will not exists at the same time).
For example as follows:

| pivot model_requests RootObject count(RootObject) AS "Count of Requests" (FILTER service in $service_token$ OR FILTER app_name in $app_token$) FILTER something_else=*

This query doesn't work. Is there a way around this? Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...