Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Distinct delimiters for same input

seomaniv
Explorer
‎05-12-2020 03:23 PM

I have a dashboard that takes 3 inputs. (TimePicker, Associate, and Activity).

All items (inputs and dash panels) update based on the TimePicker, no problem.

The activity is only ever a single option (dropdown). However, the Associate is a series of checkboxes. For the dash panel, it is a simple delimiter of " OR Associate="

The problem is that the Activity dropdown also has to update based on the Associates picked, and the delimiter for the dropdown query would be different than the delimiter for the dash panel (much more complicated with a nested eval). I do not see a way to have a different delimiter - is there a way?

If not, I wonder if there is a way I can use the selections from one input to populate a second input with a different delimiter?

0 Karma
Reply

anmolpatel
Builder
‎05-12-2020 03:49 PM

@seomaniv can you please provide a sample on how the changes are to take place based on selection.

0 Karma
Reply

seomaniv
Explorer
‎05-12-2020 05:02 PM

So the dashboard's Associate panel has a query like:

index/source/host | 
search Associate="$associate$" | 
stats sum(hoursWorked) as "Hours Worked" by Associate

With a delimiter of:

" OR Associate="

If I select associates "Fred" "George" and "Ron" I would end up with a query of:

index/source/host | 
search Associate="Fred" OR Associate="George" OR Associate="Ron" | 
stats sum(hoursWorked) as "Hours Worked" by Associate

and I get a table comparing the number of hours each associate worked in the time period chosen by the time picker. However, the Activity dropdown needs to limit "hours worked" to activities that all the chosen associates have participated in during that time period, so it has a nested search:

index/source/etc. | 
search Associate="$associate$" |  
sort ActivityType | dedup ActivityType | 
eval thisActivity=if(ActivityType in [search index/source/etc. | 
search Associate="$associate$" | 
sort ActivityType | dedup ActivityType],ActivityType,"SESSION") | 
search ActivityType!="SESSION"

and in order to work then the delimiter needs to be a nested eval search:

" | 
sort ActivityType | dedup ActivityType],ActivityType,"SESSION") | 
eval thisActivity=if(ActivityType in [search index/source/host | 
search ActivityType!="SESSION" | 
search Associate="

Either one of these works independently, but I can't do both at the same time. I COULD make a separate input, but then the user would have to choose the "Associates" twice, and aside from being annoying, that can lead to them being inconsistent.

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...