The token setting is done as part of the base search <done> clause and the $result.search$ means that the token is set based on the value of the field called 'search' in the first row of the results.
In my example that comes from the base search running the 'format' command to create a field with the constructed search statement.
I have updated it now to show a working solution using the extra dependent search. Please try this dashboard, create yourself a lookup file calls ips2.csv with a single field called Src_ip in with some random IP addresses in it and try it out.
<form>
<label>IP Inputs</label>
<search id="base">
<query>
| inputlookup ips2.csv
| table Src_ip
</query>
</search>
<search id="base_fmt" base="base">
<query>
| format
</query>
<done>
<set token="all_ips">$result.search$</set>
</done>
</search>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input type="multiselect" token="ips">
<label>IPs</label>
<fieldForLabel>Src_ip</fieldForLabel>
<fieldForValue>Src_ip</fieldForValue>
<search base="base">
<query>
</query>
</search>
<valuePrefix>Src_ip="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<choice value="__">ALL</choice>
</input>
<table>
<search>
<query>
| inputlookup ips2.csv
| search $search_token$
</query>
</search>
</table>
<html>
<h2>Command is | search $search_token$</h2>
<h2>All Choice is $all_ips$</h2>
<h2>Final Search Token is $search_token$</h2>
</html>
<table>
<search>
<done>
<set token="search_token">$result.search_token$</set>
</done>
<query>| makeresults
| eval search_token=if(match($ips|s$,"__"), $all_ips|s$, $ips|s$)
| table search_token</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
I try to explain what's going on here.
1. The search with id="base" is the core search you want to perform. This will run when the dashboard loads, if any tokens it uses are present. In your case, it will run when the other tokens you're using, e.g. $cluster$ become set.
2. The search with id="base_fmt" is the search that is going to create the final search string to use, which will be the host=a or host=b etc. This creates a field called search and a new token called all_ips is set containing that value.
3. In your <input> the ALL value is set to __ and NOT the token all_ips as that does not seem to work.
4. In the first <table> of that row, it creates the result of the query that will show the data you want. Note that it uses the token $search_token$, which you can see is set in the last table. (See 6)
5. The <html> section is just showing you the current value of various settings
- the search command string that is run to find your data
- all_ips - the token set in the base_fmt base search
- search_token - the new token set from (6) below
6. This last <table> is the search that translates your input selection to the search string. It simply looks at the current value if the ips token from your input and IF it contains the __ value, you know the user has selected 'All', in which case, you just want to use the search string created in base_fmt search. If not, it just uses the chosen ips token value.
I hope this helps - I recommend creating the ips2.csv file and playing with this to understand it. If you didn't know, any element inside a dashboard can be hidden like this
<table depends="$non_existent_token$>
and it will not be show. You can hide these types of search from display. Alternatively you can put them as searches outside the <row> settings, but I sometimes find it useful to 'enable' these types of search so I can see their actions, just be setting the token the depend on.
