Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I only show results using a token of a multivalue field?

Reidap
New Member
‎03-24-2017 05:23 AM

Hi all, I am new to using SPLUNK so please bare with me....

I have created a dashboard to utilise tokens in drop downs. I have a multi value field which I want to only show one value when I use the token. The multi value field is made up of lots of users with an returncode and description.

field name=newuser
user1,10,NewUser|user2,20,existinguser|user3,30,deleteduser.

So I would like for token to be $user$ which I know how to define, but how do I search the multi value field to only show me the results in the same field as my dropdown.

e.g. If I choose user1 in the drop down then the newuser field changes to show me user1,10,NewUser, if I choose user2 then it only shows me user2,20,existinguser?

Tags (2)
0 Karma
Reply

niketn
Legend
‎03-24-2017 11:50 AM

@Reidap...You should provide you search query with mocked up details for us to help better. We would need to know how you are getting the multi-valued field?

For example if
UserName=User1, User2, User3

UserName="*" in your base search may give you multi-valued field when you try to gather values(UserName)

In case you have a single user selected UserName="User1" in your base search will give single user even when you perform values(UserName).

So in this case you need to Add Static default value to your dropdown for All=* then use UserName="$user$" in your search query. Drop down default value will be All or *.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2017 07:42 AM

I think like this:

... newuser="$user$" | eval newuser=mvfilter(like(newuser,"$user$"))

OR:

... newuser="$user$" | mvexpand newuser | search newuser="$user$"
0 Karma
Reply

DalJeanis
Legend
‎03-24-2017 08:34 AM

Missing end parenthesis in the mvfilter version, just like mine.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2017 11:39 AM

That's what I get for answering without testing. Sloppy indeed; thank you.

0 Karma
Reply

DalJeanis
Legend
‎03-24-2017 06:07 AM

Depending on how you are feeding the information, it will be something like this...

| where like($user$,multivaluefield)

...or this... 

| eval outputfield=mvfilter(match(multivaluefield,"$user$"))
Reply

somesoni2
Revered Legend
‎03-24-2017 07:47 AM

My bet is on mvfilter.

You are missing the eval command there and you don't need % in the match command.

0 Karma
Reply

DalJeanis
Legend
‎03-24-2017 08:32 AM

Very sloppy this morning. I was also missing an end parenthesis.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...