Hi all, I am new to using SPLUNK so please bare with me....
I have created a dashboard to utilise tokens in drop downs. I have a multi value field which I want to only show one value when I use the token. The multi value field is made up of lots of users with an returncode and description.
field name=newuser
user1,10,NewUser|user2,20,existinguser|user3,30,deleteduser.
So I would like for token to be $user$ which I know how to define, but how do I search the multi value field to only show me the results in the same field as my dropdown.
e.g. If I choose user1 in the drop down then the newuser field changes to show me user1,10,NewUser, if I choose user2 then it only shows me user2,20,existinguser?
@Reidap...You should provide you search query with mocked up details for us to help better. We would need to know how you are getting the multi-valued field?
For example if
UserName=User1, User2, User3
UserName="*" in your base search may give you multi-valued field when you try to gather values(UserName)
In case you have a single user selected UserName="User1" in your base search will give single user even when you perform values(UserName).
So in this case you need to Add Static default value to your dropdown for All=* then use UserName="$user$" in your search query. Drop down default value will be All or *.
I think like this:
... newuser="$user$" | eval newuser=mvfilter(like(newuser,"$user$"))
OR:
... newuser="$user$" | mvexpand newuser | search newuser="$user$"
Missing end parenthesis in the mvfilter version, just like mine.
That's what I get for answering without testing. Sloppy indeed; thank you.
Depending on how you are feeding the information, it will be something like this...
| where like($user$,multivaluefield)
...or this...
| eval outputfield=mvfilter(match(multivaluefield,"$user$"))
My bet is on mvfilter.
You are missing the eval command there and you don't need % in the match command.
Very sloppy this morning. I was also missing an end parenthesis.