https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741353#M240599 <P>I decided to use 2 tokens instead of 3. But how to use token2 (from users dropdown) only if it was chosen?</P><LI-CODE lang="markup"> index=sysmon_wec AND (EventCode=22 OR event_id=22) AND process_name="$procname$" | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") | head 100 | table process_name, User, ComputerName, QueryName, QueryResults</LI-CODE><P>&nbsp;</P><P>But add&nbsp; something like this on splunk language :</P><P>&nbsp; | if isnotnull(User) then User="$user$"</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 10 Mar 2025 20:33:48 GMT ekmek4 2025-03-10T20:33:48Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741170#M240557 <P>HI, im trying to create filter for network connections. But i cannot make work few tokens in the same time.</P><P>I want to create OR expression. In my head its like this:</P><P>1. search should work for if i put process_name in textfield</P><P>2. If process_name select from dropdown along with textfield&nbsp; - search for both processes.&nbsp; (process_name IN ("$token1$","$token2$"))</P><P>3. If First two are not chosen, but User from User dropdown selected =&gt; Filter by User.</P><P>4. If one or two process_name tokens used and User selected - filter by chosen proces_names and then by user.</P><P>I have $procname2$ token for text field and $procname2$ for dropdown of processes.&nbsp;</P><P>Both process_name tokens work if dropdown is selected, then search will use both dropdown token and text token. User token doesn't work at all</P><P>Query for search:</P><LI-CODE lang="markup">index=sysmon_wec AND (EventCode=22 OR event_id=22) AND ((process_name IN ("$procname$", "$procname2$") OR User IN ("$user$")) )| makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup process_name|head 100| table process_name,User,ComputerName,QueryName,QueryResults</LI-CODE><P>&nbsp;</P><P>Here is a full code of my dashboard</P><LI-CODE lang="markup">&lt;form version="1.1" theme="light"&gt; &lt;label&gt;Find Network connections(DNS)&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="text" token="procname2"&gt; &lt;label&gt;Enter procname:eg.opera.exe&lt;/label&gt; &lt;default&gt;&lt;/default&gt; &lt;/input&gt; &lt;input type="dropdown" token="procname" searchWhenChanged="true"&gt; &lt;label&gt;Procname&lt;/label&gt; &lt;fieldForLabel&gt;process_name&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;process_name&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;index=sysmon_wec AND (EventCode=22 OR event_id=22) |dedup process_name|head 1000|table process_name&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;/input&gt; &lt;input type="dropdown" token="User" searchWhenChanged="true"&gt; &lt;label&gt;User&lt;/label&gt; &lt;fieldForLabel&gt;User&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;User&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;index=sysmon_wec AND (EventCode=22 OR event_id=22) | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup User|head 1000|table User&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;table&gt; &lt;title&gt;process_name&lt;/title&gt; &lt;search&gt; &lt;query&gt;index=sysmon_wec AND (EventCode=22 OR event_id=22) AND ((process_name IN ("$procname$", "$procname2$") OR User IN ("$user$")) )| makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup process_name|head 100| table process_name,User,ComputerName,QueryName,QueryResults&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt;</LI-CODE><P>&nbsp;</P> Fri, 07 Mar 2025 20:41:33 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741170#M240557 ekmek4 2025-03-07T20:41:33Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741173#M240558 <P>Hi&nbsp;&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/238989">@ekmek4</a>&nbsp;</P><P>To achieve this type of filtering logic in your dashboard, you need to adjust the search query to handle the different combinations of inputs correctly. The main issue is ensuring that the query logic reflects the conditions you described. Here's how you can modify your query to achieve this:</P><OL><LI><STRONG>Check if<SPAN>&nbsp;procname<SPAN>&nbsp;or<SPAN>&nbsp;procname2<SPAN>&nbsp;is set: If either is set, filter by those.</SPAN></SPAN></SPAN></SPAN></STRONG></LI><LI><STRONG>Check if<SPAN>&nbsp;User<SPAN>&nbsp;is set: If<SPAN>&nbsp;User<SPAN>&nbsp;is set and no process names are set, filter by<SPAN>&nbsp;User.</SPAN></SPAN></SPAN></SPAN></SPAN></STRONG></LI><LI><STRONG><STRONG>Combine both conditions: If both process names and<SPAN>&nbsp;User<SPAN>&nbsp;are set, filter by both.</SPAN></SPAN></STRONG></STRONG><P>&nbsp;</P></LI></OL><P>Here's a revised version of your dashboard code with the updated query logic:</P><LI-CODE lang="markup">&lt;form version="1.1" theme="light"&gt; &lt;label&gt;Find Network connections(DNS)&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="text" token="procname2"&gt; &lt;label&gt;Enter procname: eg. opera.exe&lt;/label&gt; &lt;default&gt;&lt;/default&gt; &lt;/input&gt; &lt;input type="dropdown" token="procname" searchWhenChanged="true"&gt; &lt;label&gt;Procname&lt;/label&gt; &lt;fieldForLabel&gt;process_name&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;process_name&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;index=sysmon_wec AND (EventCode=22 OR event_id=22) | dedup process_name | head 1000 | table process_name&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;/input&gt; &lt;input type="dropdown" token="user" searchWhenChanged="true"&gt; &lt;label&gt;User&lt;/label&gt; &lt;fieldForLabel&gt;User&lt;/fieldForLabel&gt; &lt;fieldForValue&gt;User&lt;/fieldForValue&gt; &lt;search&gt; &lt;query&gt;index=sysmon_wec AND (EventCode=22 OR event_id=22) | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") | dedup User | head 1000 | table User&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;table&gt; &lt;title&gt;process_name&lt;/title&gt; &lt;search&gt; &lt;query&gt; index=sysmon_wec AND (EventCode=22 OR event_id=22) | eval proc_filter=if(len("$procname$") &gt; 0 OR len("$procname2$") &gt; 0, 1, 0) | eval user_filter=if(len("$user$") &gt; 0, 1, 0) | where (proc_filter=1 AND process_name IN ("$procname$", "$procname2$")) OR (user_filter=1 AND User="$user$") | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") | dedup process_name | head 100 | table process_name, User, ComputerName, QueryName, QueryResults &lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;/search&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt;</LI-CODE><P>Key Changes:</P><UL><LI><STRONG>proc_filter<SPAN>&nbsp;and<SPAN>&nbsp;user_filter: </SPAN></SPAN></STRONG>These are temporary fields used to determine if the process name or user filters should be applied.</LI><LI><STRONG>where<SPAN>&nbsp;clause: </SPAN></STRONG>The logic now checks if either the process name or user filter should be applied, and applies them accordingly.</LI><LI><STRONG><STRONG>Token Names: </STRONG></STRONG>Ensure that the token names in your query match those defined in your inputs ($procname$,<STRONG><STRONG><SPAN>&nbsp;$procname2$, and<SPAN>&nbsp;$user$).</SPAN></SPAN></STRONG></STRONG><P>This setup should allow you to filter based on the conditions you described. If both process names and user are selected, it will filter by both. If only one is selected, it will filter by that one.</P><P>Please let me know how you get on and consider adding karma to this or any other answer if it has helped.<BR />Regards</P><P>Will</P></LI></UL><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 07 Mar 2025 22:02:24 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741173#M240558 livehybrid 2025-03-07T22:02:24Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741345#M240597 <P>This looks as working example, but for some reason it doesn't work</P><P>No search when textbox changed or dropdown. Filtering only if im choosing User from dropdown</P> Mon, 10 Mar 2025 17:22:35 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741345#M240597 ekmek4 2025-03-10T17:22:35Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741353#M240599 <P>I decided to use 2 tokens instead of 3. But how to use token2 (from users dropdown) only if it was chosen?</P><LI-CODE lang="markup"> index=sysmon_wec AND (EventCode=22 OR event_id=22) AND process_name="$procname$" | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") | head 100 | table process_name, User, ComputerName, QueryName, QueryResults</LI-CODE><P>&nbsp;</P><P>But add&nbsp; something like this on splunk language :</P><P>&nbsp; | if isnotnull(User) then User="$user$"</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 10 Mar 2025 20:33:48 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741353#M240599 ekmek4 2025-03-10T20:33:48Z https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741425#M240619 <P>I found a right way, but i dont know how to reset search for another try.</P><P>&nbsp;</P><LI-CODE lang="markup"> index=sysmon_wec AND (EventCode=22 OR event_id=22) | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User | where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") | eval proc_filter=if(len("$procname$") &gt; 0 , 1, 0) | eval user_filter=if(len("$user$") &gt; 5, 1, 0) | where (proc_filter=1 AND process_name="$procname$" AND user_filter=0) OR (proc_filter=1 AND process_name="$procname$" AND User="$user$") | head 100 | table process_name, User, ComputerName, QueryName, QueryResults</LI-CODE><P>&nbsp;</P> Tue, 11 Mar 2025 17:33:05 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-search-query-using-multiple-tokens-and-filters/m-p/741425#M240619 ekmek4 2025-03-11T17:33:05Z