I see an interesting Simple XML idiom below:
<input type="multiselect" token="multiselect_lines" searchWhenChanged="true">
<label>Lines</label>
<choice value="ACEKLMRSWY">All lines</choice>
<choice value="A">A Line</choice>
<choice value="C">C Line</choice>
<choice value="E">E Line</choice>
<choice value="K">K Line</choice>
<choice value="L">L Line</choice>
<choice value="M">M Line</choice>
<choice value="R">R Line</choice>
<choice value="S">S Line</choice>
<choice value="W">W Line</choice>
<choice value="Y">Y Line</choice>
<default>ACEKLMRSWY</default>
<prefix>regex Location="^[</prefix>
<suffix>]"</suffix>
<change>
<eval token="form.multiselect_lines">
case(
mvcount('form.multiselect_lines') == 2 AND mvindex('form.multiselect_lines', 0) == "ACEKLMRSWY", mvindex('form.multiselect_lines', 1),
mvfind('form.multiselect_lines', "ACEKLMRSWY") == mvcount('form.multiselect_lines') - 1, "ACEKLMRSWY",
true(), 'form.multiselect_lines')</eval>
</change>
</input>
It seems updating the appearance of the multiselect field "multiselect_lines" so whenever the selections in the multiselect change, "form.multiselect_lines" will be updated accordingly. I guess that it is supposed to solve the deficiency of multiselect in Splunk that the option of "All" does not disappear automatically when a subset is selected, or when there is no more subset selected, "All" as default does not come back automatically.
The above is my trying to understand to achieve the functionality. It works as hypothesized in a dashboard that I'm studying, but when I copied the mechanism to my dashboard, it has no effect in the behavior.
So I under what the token with the pattern of form.<multiselect_input_token>, and what does it take to have the above mechanism work in auto removing and adding "All" in appearance?
I know that there is a javascript solution by modifying the list of multiselect options on the fly through Javascript. But I don't have the admin privilege to add the javascript for my dashboard. So a solution without requiring admin privilege is handy.
