You can (for 6.3 or higher version of splunk) use
<eval> in your form input to update the token value to be format which can be used in the search directly.
E.g. Say you want to token value $hosts$ to be used against field host in your search, try like this
<input type="dropdown" token="hosts"> <label>Enter hosts</label> <default>*</default> <change> <eval token="host_tok">"host=".replace("$hosts$",","," OR host=")</eval> </change> </input>
You'll be using $hosttok$ in your search e.g. `index=foo sourcetype=bar $hosttok$`
Other option would be to handle the splitting/formatting in the search itself, like this
index=foo sourcetype=bar [| gentimes start=-1 | eval host="$hosts$" | makemv host delim="," | mvexpand host | table host]
Thanks for a great hint about
<eval> for token modification, it helped me to modify a token in drilldown to get the first value of multivalue token:
<drilldown> <eval token="tok1">mvindex($row.multivalue_field$, 0)</eval> <set token="form.INPUT_TOKEN">$tok1$</set> </drilldown>
Sorry to dig this up from the past, but I used your advice here and it worked great (specifically the in search version) however, I have a question. My scenario is that I have a dashboard set up to search data based on Userid. We wanted to be able to enter multiple userids into a text box to search. This worked for us, however, say I have 6 users A, B, C, D, E, F and I enter A,B,C in to my search, I get everything for A B and C, but also 1 or two events for D and F, even though I didn't say anything in my query about D or F. Any idea why I'd be getting extra events in my results?