Hi @yuanliu 

In my case i need to search in textbox with dynamic values from message field not with predefined values.

@karthi2809 I tend to use a text box where I can insert a where clause, like this

  <row id="button_row">
    <panel>
      <input id="events_where" type="text" token="where_clause" searchWhenChanged="true">
        <label>Event filter where clause</label>
        <default></default>
      </input>
      <event>
        <search>
          <query>
index=_internal host=bla
| where $where_clause$
          </query>
          <earliest>$selection.earliest$</earliest>
          <latest>$selection.latest$</latest>
        </search>
      </event>
    </panel>
  </row>

it gives you flexibility to construct whatever you want, so as long as you know how to write valid SPL queries, you can use whatever eval statements you like, e.g. 

 You can do it with a search clause, but I find more flexibility to use eval based filters.

You can also make your text box nice and wide using the id="xxx" in the <input> and then add this css

  <row depends="$CSS$">
    <panel>
      <html>
        <style>
          #events_where .splunk-textinput { width: 400px !important; }
        </style>
      </html>
    </panel>
  </row>

---

In my case i need to search in textbox with dynamic values from message field not with predefined values.

---

Dynamic doesn't mean it should be free text.  This next example gives you two inputs, one a truly dynamic, multiselect, the other a free text if you absolutely want to go that route.

<form version="1.1">
  <label>Multivalue input</label>
  <description>https://community.splunk.com/t5/Splunk-Search/How-to-filter-events-using-text-box-values/m-p/704698</description>
  <fieldset submitButton="false">
    <input type="multiselect" token="multiselect_tok" searchWhenChanged="true">
      <label>select all applicable</label>
      <choice value="*">All</choice>
      <initialValue>*</initialValue>
      <fieldForLabel>log_level</fieldForLabel>
      <fieldForValue>log_level</fieldForValue>
      <search>
        <query>index = _internal log_level = *
| stats count by log_level</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="multivalue_text_tok" searchWhenChanged="true">
      <label>enter comma separated</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>Using &gt;$multiselect_tok$&lt;</title>
        <search>
          <query>index = _internal log_level IN ($multiselect_tok$)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
    <panel>
      <event>
        <title>Using &gt;$multivalue_text_tok$&lt;</title>
        <search>
          <query>index = _internal
    [| makeresults
    | fields - _time
    | eval log_level = upper(trim(split("$multivalue_text_tok$", ",")))]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

The problem with free text is that people make far more mistakes than machines do.  My code tries to cope with that as much as possible.  But unless you have a use case that uses free text in a meaningful way, forget comma delimited input.

@gcusello If i want to search multiple keywords using comma seperate in the same text field.

I am using multiple filter in that Error search is one of the filter in which i need to type the values or multiple values with comma and i need to filter the result