No it is not working. city token is from dropdown list. There is no such field "city=" in the log. My simplified query as below:

index=* "Country: $clicked_country$ - CITY: $city$" 
| eval country=if((_raw LIKE "%$clicked_country$%"),"$clicked_country$","0")
| eval city=if((_raw LIKE "%$city$%"),"$city$","0")
| stats values(date_hour) as "Hour" by country city

why do not you extract city and country to make your job easier I see from the events they are in standard format.

| rex field=_raw "Country\:\s(?<country>[^\s]+)\s\-\sCity\:\s(?<city>[^\s]+)" | search city="$city$"

and then use * as a wildcard for ALL.

From your current search query you need to substitute * for the main search and % for the eval statement.

let me know if this helps!

Yes it is working fine now after several tests. Thanks to @mayurr98 and @493669.

hi @493669 and @deepashri,

Both solution not working. There is no "city=" to be matched in the log. the $city$ field is from dropdown list (e.g. All, London, Mancester....etc).

Solution provided by @493669 still returning as "*".

In what scenario you are using $city$ token? if you could share what output you are expecting...

Desired output in table format as explained in:

https://answers.splunk.com/answers/624710/formatting-output-in-table.html

try this:

index=*|  rex field=_raw "Country\:\s(?<country>[^\s]+).*City\:\s(?<city>[^\s]+)"
| search city="$city$" AND country="$clicked_country$"
 | stats values(date_hour) as "Hour" by country city

how are you getting events from the dropdown list? is it coming from lookup? or you are extracting it at search time ?
it would be great if you share sample events and xml for your current dashboard.

city token from dropdown list is extracted using regex to catch the "city" in the log.

Sample log:
Request_A - Country: GERMANY - City: BER