https://community.splunk.com/t5/Getting-Data-In/Filtering-search-results-with-mvfilter/m-p/459122#M79304 <P>I'm creating a dashboard that displays events relating to servers ("host" field in the search). I want to allow the user to specify the hosts to include via a checkbox dashboard input, however I cannot get this to work.</P> <P>To simplify the development process, I've mocked up the input into a search as so:</P> <P><CODE>eventtype=SomeEventType | eval servers="serverName01;serverName02;serverName03" | makemv delim=";" servers | search mvfilter(host,servers)</CODE></P> <P>(In the dashboard I obviously don't need to "eval servers=" and the "servers" is referenced $servers$, again I only changed this so I could play around with it in the raw search app)</P> <P>...With my understanding is that it should filter the search results based on those that return "true." The search doesn't error out, but I get no results. However, with the search instead as simply:</P> <P><CODE>eventtype=SomeEventType host="serverName01"</CODE></P> <P>I <EM>do</EM> get results back.</P> <P>How do I filter the results, correctly?</P> Tue, 14 May 2019 21:53:18 GMT CaninChristellC 2019-05-14T21:53:18Z https://community.splunk.com/t5/Getting-Data-In/Filtering-search-results-with-mvfilter/m-p/459122#M79304 <P>I'm creating a dashboard that displays events relating to servers ("host" field in the search). I want to allow the user to specify the hosts to include via a checkbox dashboard input, however I cannot get this to work.</P> <P>To simplify the development process, I've mocked up the input into a search as so:</P> <P><CODE>eventtype=SomeEventType | eval servers="serverName01;serverName02;serverName03" | makemv delim=";" servers | search mvfilter(host,servers)</CODE></P> <P>(In the dashboard I obviously don't need to "eval servers=" and the "servers" is referenced $servers$, again I only changed this so I could play around with it in the raw search app)</P> <P>...With my understanding is that it should filter the search results based on those that return "true." The search doesn't error out, but I get no results. However, with the search instead as simply:</P> <P><CODE>eventtype=SomeEventType host="serverName01"</CODE></P> <P>I <EM>do</EM> get results back.</P> <P>How do I filter the results, correctly?</P> Tue, 14 May 2019 21:53:18 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-search-results-with-mvfilter/m-p/459122#M79304 CaninChristellC 2019-05-14T21:53:18Z https://community.splunk.com/t5/Getting-Data-In/Filtering-search-results-with-mvfilter/m-p/459123#M79305 <P>Hi,</P> <P>You are not even using the mvfilter function, you are searching for it as a string.</P> <P>What is the goal, do you want to filter for events that have the host in the list of servers, or do you want to change the servers list somehow?</P> <P>If it is the former question, then you could use the mvfind command, eg:</P> <PRE><CODE>| makeresults | eval host="serverName02", servers="serverName01;serverName02;serverName03" | makemv delim=";" servers | where isnotnull(mvfind(servers,host)) </CODE></PRE> <P>Is that what you were looking for?</P> <P>Hth,<BR /> Kai.</P> Wed, 15 May 2019 07:15:55 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-search-results-with-mvfilter/m-p/459123#M79305 knielsen 2019-05-15T07:15:55Z