Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to display results for several users using a m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkers,
I'm trying to display the results for several users using a multi-select dropdown on a dashboard. The results for one user will display correctly. When I add a second, third, fourth, etc user, I get no results found.
Here is the SPL for the panel:
index=trn5 source="*trn5/logs/system/access.log" NOT user="SYSUSER" NOT user="-" NOT user="USER01" NOT user="USER03" NOT user="USER04" NOT user="user10" NOT user="user11" NOT user="b12663"
| lookup cis_users.csv userid AS user
| search username="$input_user2$"
| eval day=strftime(_time, "%B %d %Y")
| eventstats range(_time) AS duration BY username day
| stats values(duration) as duration by username day
| eval duration=tostring(duration, "duration")
| rename username as User, day as Date, duration as "Time in Portal"
SPL for the dropdown:
index=trn5
| lookup cis_users.csv userid AS user
| fields username
| table username
| dedup username
| sort 0 username
Field for Label: username
Field for Value: username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi matthew.foos,
how do you configured multi select dropdown? did you remember to put " OR " (with spaces)
in other word in the multiselect you need
<valuePrefix>username="</valuePrefix>
<delimiter> OR </delimiter>
<default>*</default>
<valueSuffix>"</valueSuffix>
then in the search you have to insert
| search $input_user2$
in this way you can manage the multi selection otherwise you can use only one value.
One additional information: use OUTPUT in lookup command
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi matthew.foos,
how do you configured multi select dropdown? did you remember to put " OR " (with spaces)
in other word in the multiselect you need
<valuePrefix>username="</valuePrefix>
<delimiter> OR </delimiter>
<default>*</default>
<valueSuffix>"</valueSuffix>
then in the search you have to insert
| search $input_user2$
in this way you can manage the multi selection otherwise you can use only one value.
One additional information: use OUTPUT in lookup command
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nailed it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share the XML for your dropdown?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<input type="multiselect" token="input_user2" searchWhenChanged="true">
<label>Select a User(s):</label>
<fieldForLabel>username</fieldForLabel>
<fieldForValue>username</fieldForValue>
<search>
<query>index=trn5
| lookup cis_users.csv userid AS user
| fields username
| table username
| dedup username
| sort 0 username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you're missing the OR setup. @cusello mentioned it below
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
