I am defining a dashboard panel that uses a token $s_user$ that may contain a comma-separated list of values (it is set from $row.field$ for a multivalue field). I want to find events where the user field matches one of the values in $s_user$ (as well as some other criteria).
For example, if $s_user$ is "user1,user2,user3", then I want a search that does the equivalent of:
client=$client$ AND (user=user1 OR user=user2 OR user=user3)
What is the best way to accomplish this?
I have tried the following, which works but seems clumsy (particularly since I have several tokens like s_user):
client=$client$ AND [search * | head 1 | eval user=split("$s_user$", ",") | fields user | format]
I have also tried this, which sort of works:
client=$client$ | eval users=split("$s_user$", ",") | where mvfind(users, user) >= 0
But that I suspect that is far slower, is also clumsy, and won't do the right thing if the user field contains regexp metacharacters.
... View more