i have this dropdown which produces correct results:
<input type="dropdown" token="tUser" searchWhenChanged="true">
<label>User Name</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>numUsername</fieldForLabel>
<fieldForValue>username</fieldForValue>
<search>
<query>index=tvlog
| stats count AS "Quantity" by username
| strcat username " (" Quantity ")" numUsername
</query>
<earliest>$tokEarliestTime$</earliest>
<latest>$tokLatestTime$</latest>
</search>
</input>
there's, among other's, one user named "Support Sul" and an additional user named "Support SuL 2". both show up in the dropdown with the correct number of connections (Quantity).
BUT when i select "Support SuL" from the dropdown, the resulting table contains both users.
even worse: when i select "Support SuL 2", i get all "Support SuL 2" users and some "Support SuL" users.
this is the table:
<table>
<search>
<query>index=tvlog $tUser$
| table start_date, end_date, duration, username, devicename
| sort start_date desc
| rename start_date as "Start Date"
| rename end_date as "End Date"
| rename username as "User Name"
| rename devicename as "Device Name"
</query>
<earliest>$tokEarliestTime$</earliest>
<latest>$tokLatestTime$</latest>
</search>
<option name="count">20</option>
<option name="drilldown">none</option>
</table>
the source file is a simple utf-8 encoded csv.
what's wrong here?
Try something like this
index=tvlog TERM(username=$tUser|s$)
or
index=tvlog
| where username=$tUser|s$
thank's for the answer, but none of your proposals returns a result 😞
Can you provide some sample events in a code block </> so we can see what you are dealing with?
i'm not really sure what you mean. i copied now two events resulting this search
index=tvlog "support sul"
it shows 324 events containing user "Support SuL" and "Support SuL 2"
index=tvlog username="support sul"
shows 161 results with only user "Support SuL"
index=tvlog username="support sul 2"
shows 163 results with only user "Support SuL 2"
2022-08-08 11:25:57,2022-08-08 11:33:52,"0:07:55",cabb2212-93b4-42e9-b890-2be47b841d82,u173443428,"Support SuL",230088210,PC1102,g170315939,PC1102 date_hour = 11date_mday = 8date_minute = 25date_month = augustdate_second =
57date_wday = mondaydate_year = 2022date_zone = localeventtype = nix-all-logshost = srv141index = tvloglinecount = 1source = /opt/splunkforwarder/etc/apps/PBNL_getTVlog/log/TVlog.csvsourcetype = csvsplunk_server = srv091splunk_server_group = dmc_group_indexer splunk_server_group = dmc_indexerclustergroup_SplunkClusterPBNLtimeendpos = 27timestartpos = 0
2022-08-05 06:58:45,2022-08-05 14:00:26,"7:01:41",d3e88821-f7b7-45bd-a18d-91d2dc147458,u174066842,"Support SuL 2",265385451,PC1153,g162593205,PC1153 date_hour = 6date_mday = 5date_minute = 58date_month = augustdate_second = 45date_wday = fridaydate_year = 2022date_zone = localeventtype = nix-all-logshost = srv141index = tvloglinecount = 1source = /opt/splunkforwarder/etc/apps/PBNL_getTVlog/log/TVlog.csvsourcetype = csvsplunk_server = srv091splunk_server_group = dmc_group_indexer splunk_server_group = dmc_indexerclustergroup_SplunkClusterPBNLtimeendpos = 27timestartpos = 0
these searches are all correct, but in the dashboard i need to deal with the token $tUser$.
You can try
index=tvlog username="$tUser$"
sorry, i forgot to update. after you proposed username=="$tUser$" i tried username="$tUser$" and that did the trick 😉
thank you...
index=tvlog
| where username=="$tUser$"
tried that too without success