I am new to Splunk, currently working on a Shift roster. There are 3 teams and 3 members in each team(totally 9 members).
The roster input file is a CSV file and I haven't defined any lookup yet.
Team 1 - T1 M1, T1 M2, T1 M3
Team 2 - T2 M1, T2 M2, T2 M3
Team 3 - T3 M1, T3 M2, T3 M3
The roster input file looks similar to the below:
Date Day T1 M1 T1 M2 T1 M3 T2 M1 T2 M2,T2 M3,T3 M1,T3 M2,T3 M3
20/1 Thu Day Night Day Night Night Night....
21/1 ...
22/1 ...
I have created a Drop down and multivalue fields.
<input type="dropdown" token="filterby_name" searchWhenChanged="true">
<label>Filter by</label>
<choice value="All">All</choice>
<choice value="Team">Team</choice>
<choice value="Name">Name</choice>
<default>All</default>
<change>
<unset token="form.tokSystem"></unset>
</change>
</input>
<input type="multiselect" token="tokSystem" searchWhenChanged="true">
<label>Pick one</label>
<fieldForLabel>$filterby_name$</fieldForLabel>
<fieldForValue>$filterby_name$</fieldForValue>
<search>
<query> |makeresults
| eval All="All",
Team="Team1,Team2,Team3,
Name="T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3,T3 M1,T3 M2,T3 M3"
| fields $filterby_name$ | makemv $filterby_name$ delim="," | mvexpand $filterby_name$</query>
I am trying to create shift roster as a table based on the results of the multivalued field like below:
It works well when I select only one value for multivalued filed.
ex: if $tokSystem$ is Team1 , search below:
index="roster_fd" sourcetype="roster" | table Date Day "T1 M1","T1 M2","T1 M3" | where like ("$tokSystem$","Team 1")
But not sure how to define search query if there are more than 1 value in the multivalue field:
If $tokSystem$ is Team1 and Team2 , search should return "T1 M1, T1 M2,T1 M3,T2 M1,T2 M2,T2 M3 " members shift roster.
ex: | table Date Day "T1 M1", "T1 M2","T1 M3","T2 M1","T2 M2","T2 M3 "
else if $tokSystem$ is Team2 and Team3, search should return shift roster for "T2 M1,T2 M2,T2 M3 ,T3 M1,T3 M2,T3 M3".
ex: | table Date Day "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"
else if $tokSystem$ is Team1, Team2 and Team3, search should return shift roster for all team members.
ex: | table Date Day "T1 M1","T1 M2",T1 M3" "T2 M1","T2 M2",T2 M3" ,"T3 M1","T3 M2","T3 M3"
Please advise how to define search query for the above. Thanks in advance.
... View more