topic Re: How do I only show results using a token of a multivalue field? in Splunk Search

How do I only show results using a token of a multivalue field?

Reidap — Fri, 24 Mar 2017 12:23:28 GMT

Hi all, I am new to using SPLUNK so please bare with me....

I have created a dashboard to utilise tokens in drop downs. I have a multi value field which I want to only show one value when I use the token. The multi value field is made up of lots of users with an returncode and description.

field name=newuser
user1,10,NewUser|user2,20,existinguser|user3,30,deleteduser.

So I would like for token to be $user$ which I know how to define, but how do I search the multi value field to only show me the results in the same field as my dropdown.

e.g. If I choose user1 in the drop down then the newuser field changes to show me user1,10,NewUser, if I choose user2 then it only shows me user2,20,existinguser?

Re: How do I only show results using a token of a multivalue field?

DalJeanis — Fri, 24 Mar 2017 13:07:45 GMT

Depending on how you are feeding the information, it will be something like this...

| where like($user$,multivaluefield)

...or this...

| eval outputfield=mvfilter(match(multivaluefield,"$user$"))

Re: How do I only show results using a token of a multivalue field?

woodcock — Fri, 24 Mar 2017 14:42:33 GMT

I think like this:

... newuser="$user$" | eval newuser=mvfilter(like(newuser,"$user$"))

OR:

... newuser="$user$" | mvexpand newuser | search newuser="$user$"

Re: How do I only show results using a token of a multivalue field?

somesoni2 — Fri, 24 Mar 2017 14:47:54 GMT

My bet is on mvfilter.

You are missing the eval command there and you don't need % in the match command.

Re: How do I only show results using a token of a multivalue field?

DalJeanis — Fri, 24 Mar 2017 15:32:27 GMT

Very sloppy this morning. I was also missing an end parenthesis.

Re: How do I only show results using a token of a multivalue field?

DalJeanis — Fri, 24 Mar 2017 15:34:02 GMT

Missing end parenthesis in the mvfilter version, just like mine.

Re: How do I only show results using a token of a multivalue field?

woodcock — Fri, 24 Mar 2017 18:39:26 GMT

That's what I get for answering without testing. Sloppy indeed; thank you.

Re: How do I only show results using a token of a multivalue field?

niketn — Fri, 24 Mar 2017 18:50:13 GMT

@Reidap...You should provide you search query with mocked up details for us to help better. We would need to know how you are getting the multi-valued field?

For example if
UserName=User1, User2, User3

UserName="*" in your base search may give you multi-valued field when you try to gather values(UserName)

In case you have a single user selected UserName="User1" in your base search will give single user even when you perform values(UserName).

So in this case you need to Add Static default value to your dropdown for All=* then use UserName="$user$" in your search query. Drop down default value will be All or *.