Dashboards & Visualizations

How to pass multiple values for a field through token in a dashboard?

nasamajh09
New Member

Ex -

Suppose i want to check results for 10 servers. So in dashboard I should be able to enter 10 values in token

like server1,server2,server3,server4...

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can (for 6.3 or higher version of splunk) use <eval> in your form input to update the token value to be format which can be used in the search directly.

E.g. Say you want to token value $hosts$ to be used against field host in your search, try like this

<input type="dropdown" token="hosts">
      <label>Enter hosts</label>
      <default>*</default>
  <change>
      <eval token="host_tok">"host=".replace("$hosts$",","," OR host=")</eval>
     </change>
    </input>

You'll be using $host_tok$ in your search e.g. index=foo sourcetype=bar $host_tok$

Other option would be to handle the splitting/formatting in the search itself, like this

index=foo sourcetype=bar [| gentimes start=-1 | eval host="$hosts$" | makemv host delim="," | mvexpand host | table host]

newill
New Member

Sorry to dig this up from the past, but I used your advice here and it worked great (specifically the in search version) however, I have a question. My scenario is that I have a dashboard set up to search data based on Userid. We wanted to be able to enter multiple userids into a text box to search. This worked for us, however, say I have 6 users A, B, C, D, E, F and I enter A,B,C in to my search, I get everything for A B and C, but also 1 or two events for D and F, even though I didn't say anything in my query about D or F. Any idea why I'd be getting extra events in my results?

0 Karma

fpavlovi
Explorer

Thanks for a great hint about <eval> for token modification, it helped me to modify a token in drilldown to get the first value of multivalue token:

<drilldown>
  <eval token="tok1">mvindex($row.multivalue_field$, 0)</eval>
  <set token="form.INPUT_TOKEN">$tok1$</set>
</drilldown>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...