Splunk Search

How do I only show results using a token of a multivalue field?

Reidap
New Member

Hi all, I am new to using SPLUNK so please bare with me....

I have created a dashboard to utilise tokens in drop downs. I have a multi value field which I want to only show one value when I use the token. The multi value field is made up of lots of users with an returncode and description.

field name=newuser
user1,10,NewUser|user2,20,existinguser|user3,30,deleteduser.

So I would like for token to be $user$ which I know how to define, but how do I search the multi value field to only show me the results in the same field as my dropdown.

e.g. If I choose user1 in the drop down then the newuser field changes to show me user1,10,NewUser, if I choose user2 then it only shows me user2,20,existinguser?

Tags (2)
0 Karma

niketn
Legend

@Reidap...You should provide you search query with mocked up details for us to help better. We would need to know how you are getting the multi-valued field?

For example if
UserName=User1, User2, User3

UserName="*" in your base search may give you multi-valued field when you try to gather values(UserName)

In case you have a single user selected UserName="User1" in your base search will give single user even when you perform values(UserName).

So in this case you need to Add Static default value to your dropdown for All=* then use UserName="$user$" in your search query. Drop down default value will be All or *.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

woodcock
Esteemed Legend

I think like this:

... newuser="$user$" | eval newuser=mvfilter(like(newuser,"$user$"))

OR:

... newuser="$user$" | mvexpand newuser | search newuser="$user$"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Missing end parenthesis in the mvfilter version, just like mine.

0 Karma

woodcock
Esteemed Legend

That's what I get for answering without testing. Sloppy indeed; thank you.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Depending on how you are feeding the information, it will be something like this...

| where like($user$,multivaluefield)

...or this...

| eval outputfield=mvfilter(match(multivaluefield,"$user$"))

somesoni2
SplunkTrust
SplunkTrust

My bet is on mvfilter.

You are missing the eval command there and you don't need % in the match command.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Very sloppy this morning. I was also missing an end parenthesis.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...