Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass multiple values for a field through token in a dashboard?

nasamajh09
New Member
‎04-28-2017 08:59 AM

Ex -

Suppose i want to check results for 10 servers. So in dashboard I should be able to enter 10 values in token

like server1,server2,server3,server4...

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎04-28-2017 09:24 AM

You can (for 6.3 or higher version of splunk) use <eval> in your form input to update the token value to be format which can be used in the search directly.

E.g. Say you want to token value $hosts$ to be used against field host in your search, try like this

<input type="dropdown" token="hosts">
      <label>Enter hosts</label>
      <default>*</default>
  <change>
      <eval token="host_tok">"host=".replace("$hosts$",","," OR host=")</eval>
     </change>
    </input>

You'll be using $host_tok$ in your search e.g. index=foo sourcetype=bar $host_tok$

Other option would be to handle the splitting/formatting in the search itself, like this

index=foo sourcetype=bar [| gentimes start=-1 | eval host="$hosts$" | makemv host delim="," | mvexpand host | table host]
Reply

newill
New Member
‎12-13-2018 07:13 AM

Sorry to dig this up from the past, but I used your advice here and it worked great (specifically the in search version) however, I have a question. My scenario is that I have a dashboard set up to search data based on Userid. We wanted to be able to enter multiple userids into a text box to search. This worked for us, however, say I have 6 users A, B, C, D, E, F and I enter A,B,C in to my search, I get everything for A B and C, but also 1 or two events for D and F, even though I didn't say anything in my query about D or F. Any idea why I'd be getting extra events in my results?

0 Karma
Reply

fpavlovi
Explorer
‎02-27-2018 09:02 PM

Thanks for a great hint about <eval> for token modification, it helped me to modify a token in drilldown to get the first value of multivalue token:

<drilldown>
  <eval token="tok1">mvindex($row.multivalue_field$, 0)</eval>
  <set token="form.INPUT_TOKEN">$tok1$</set>
</drilldown>
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...