Splunk Search
Highlighted

How do I only show results using a token of a multivalue field?

New Member

Hi all, I am new to using SPLUNK so please bare with me....

I have created a dashboard to utilise tokens in drop downs. I have a multi value field which I want to only show one value when I use the token. The multi value field is made up of lots of users with an returncode and description.

field name=newuser
user1,10,NewUser|user2,20,existinguser|user3,30,deleteduser.

So I would like for token to be $user$ which I know how to define, but how do I search the multi value field to only show me the results in the same field as my dropdown.

e.g. If I choose user1 in the drop down then the newuser field changes to show me user1,10,NewUser, if I choose user2 then it only shows me user2,20,existinguser?

Tags (2)
0 Karma
Highlighted

Re: How do I only show results using a token of a multivalue field?

SplunkTrust
SplunkTrust

Depending on how you are feeding the information, it will be something like this...

| where like($user$,multivaluefield)

...or this...

| eval outputfield=mvfilter(match(multivaluefield,"$user$"))
Highlighted

Re: How do I only show results using a token of a multivalue field?

SplunkTrust
SplunkTrust

My bet is on mvfilter.

You are missing the eval command there and you don't need % in the match command.

0 Karma
Highlighted

Re: How do I only show results using a token of a multivalue field?

SplunkTrust
SplunkTrust

Very sloppy this morning. I was also missing an end parenthesis.

0 Karma
Highlighted

Re: How do I only show results using a token of a multivalue field?

Esteemed Legend

I think like this:

... newuser="$user$" | eval newuser=mvfilter(like(newuser,"$user$"))

OR:

... newuser="$user$" | mvexpand newuser | search newuser="$user$"
0 Karma
Highlighted

Re: How do I only show results using a token of a multivalue field?

SplunkTrust
SplunkTrust

Missing end parenthesis in the mvfilter version, just like mine.

0 Karma
Highlighted

Re: How do I only show results using a token of a multivalue field?

Esteemed Legend

That's what I get for answering without testing. Sloppy indeed; thank you.

0 Karma
Highlighted

Re: How do I only show results using a token of a multivalue field?

Legend

@Reidap...You should provide you search query with mocked up details for us to help better. We would need to know how you are getting the multi-valued field?

For example if
UserName=User1, User2, User3

UserName="*" in your base search may give you multi-valued field when you try to gather values(UserName)

In case you have a single user selected UserName="User1" in your base search will give single user even when you perform values(UserName).

So in this case you need to Add Static default value to your dropdown for All=* then use UserName="$user$" in your search query. Drop down default value will be All or *.




| eval message="Happy Splunking!!!"


0 Karma