Splunk Search

How do I only show results using a token of a multivalue field?

New Member

Hi all, I am new to using SPLUNK so please bare with me....

I have created a dashboard to utilise tokens in drop downs. I have a multi value field which I want to only show one value when I use the token. The multi value field is made up of lots of users with an returncode and description.

field name=newuser
user1,10,NewUser|user2,20,existinguser|user3,30,deleteduser.

So I would like for token to be $user$ which I know how to define, but how do I search the multi value field to only show me the results in the same field as my dropdown.

e.g. If I choose user1 in the drop down then the newuser field changes to show me user1,10,NewUser, if I choose user2 then it only shows me user2,20,existinguser?

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

@Reidap...You should provide you search query with mocked up details for us to help better. We would need to know how you are getting the multi-valued field?

For example if
UserName=User1, User2, User3

UserName="*" in your base search may give you multi-valued field when you try to gather values(UserName)

In case you have a single user selected UserName="User1" in your base search will give single user even when you perform values(UserName).

So in this case you need to Add Static default value to your dropdown for All=* then use UserName="$user$" in your search query. Drop down default value will be All or *.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Esteemed Legend

I think like this:

... newuser="$user$" | eval newuser=mvfilter(like(newuser,"$user$"))

OR:

... newuser="$user$" | mvexpand newuser | search newuser="$user$"
0 Karma

SplunkTrust
SplunkTrust

Missing end parenthesis in the mvfilter version, just like mine.

0 Karma

Esteemed Legend

That's what I get for answering without testing. Sloppy indeed; thank you.

0 Karma

SplunkTrust
SplunkTrust

Depending on how you are feeding the information, it will be something like this...

| where like($user$,multivaluefield)

...or this...

| eval outputfield=mvfilter(match(multivaluefield,"$user$"))

SplunkTrust
SplunkTrust

My bet is on mvfilter.

You are missing the eval command there and you don't need % in the match command.

0 Karma

SplunkTrust
SplunkTrust

Very sloppy this morning. I was also missing an end parenthesis.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!