hi, if i put token equals * , it will search and display all IPs regardless UID, which is not i wish

my case is, I will search by input an UID , like "abc123" and then it will search over the past 1 month those IPs match with "abc123" , lets say there is 3 IPs.

So in my "IP search" column in dashboard will appear 3 options to let me choose,
- as now. I only can choose it 1 by 1 to add in multi selection column.
- I wish to have a "all" button to equals all that 3 IPs in my multi selection column

Ok, I think I understand now. I'm not sure if there is a way to inherently allow users to select all of the items in a multi-select dropdown (that would be nice). I can poke around the docs though to check further.

You may be able to update the search that populates the IP multi-select to also return an "All" field with the relevant values for all of the IPs that were returned. But then you'd have to make sure that the way you use the token suffix/prefix settings still make sense.

If you'd like, I think you can edit your question and include the dashboard source itself (in a code block). It might give me or others here a better idea of how it might work?

How to write the command for

populates the IP multi-select to also return an "All" field with the relevant values ?

sorry, I am totally newbie for Splunk

It's kind of hard to give you advice without actually knowing how you will ultimately use the data. With a multi-value dropdown, you need to build your token correctly so that it makes sense when you substitute in your search.

As an example, let's say I wanted to do something similar for a list of sourcetypes associated with the wineventlog index. So ultimately in my search, I want my token to be sourcetype="somesourcetype". Or int he case of the all option, it should be (sourcetype="something" OR sourcetype"something:else" OR ...)

So I create one search for the list of sourcetypes, modify the field that will be the value of the token and create another field that will be the label in the dropdown.

I think append to that search, a search that will do a similar thing, but will combine all of the sourcetypes into one field, format it the way I need it and then give it a label of "All".

So for this example, this would be the search that populates the dropdown. The sourcetype field would be used for the value and the label field would be used for the label:

| tstats count where index=wineventlog by sourcetype 
| fields - count 
| rex field=sourcetype "WinEventLog:(?<label>.+)" 
| eval sourcetype = "sourcetype=".sourcetype
|  append 
  [
     | tstats count where index=wineventlog by sourcetype 
     | fields - count | eval sourcetype = "sourcetype=".sourcetype." OR" 
     | mvcombine sourcetype 
     | makemv sourcetype delim="\n" 
     | eval sourcetype = "(".trim(sourcetype," OR").")" | eval label="All"
  ]

So the results look like this (sorry for the formatting)

sourcetype label

sourcetype=WinEventLog:Application Application
sourcetype=WinEventLog:Security Security
sourcetype=WinEventLog:System System
(sourcetype=WinEventLog:Application OR sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:System) All

i have tried but it seems cant work for me, I am not sure if i m doing wrong..

here is my current search for IP address by UID, all the result will showing in multi select box.

  <search id="F_IP_List_MAINSearch">
    <query>index="sdi_login"  [ search index=sdi_normal |head 1|eval UID="$sdi_UID_TEXTInput$" |eval UID=split(UID," ") |  table UID ]
                    | where isnotnull(F_IP)
                    | where isnotnull(Country)
                    | stats count by F_IP   
                    | sort F_IP</query>

Nobody can help ?? how can i solve it ???