I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter for one user or all users. I created a change form  to prefix the selected user with "production\" and run a query In the  panel that retrieves firewall events  where the user = the new token value (prefixed with "production\") since the user in the firewall index is prefixed with "production". the issue is that the set token  runs whenever i change the value in the multiselect and appends "production\" to the token value multiple times Is there a way to set the token AFTER the user has set the filter? also how do I filter for ALL events (when the user select ALL in the multiselect input? below is my XML code. Thanks in advance. <dashboard version="1.1" theme="light"> <label>new firewall</label> <row> <panel> <title> Request Information</title> <input type="multiselect" token="webuser" searchWhenChanged="true"> <label>User</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> <fieldForLabel>UserName</fieldForLabel> <fieldForValue>UserName</fieldForValue> <search> <query>| inputlookup my_users.csv | dedup UserName | table UserName</query> </search> <change> <set token="webuser">prod\\$webuser$</set> </change> </input> <input type="time" token="webtime" searchWhenChanged="true"> <label></label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <table> <search> <query>( index = main sourcetype = firewall ) action=blocked | search [ inputlookup my_users.csv | eval userName = "prod\\".UserName | rename userName as user | table user ] |table _time, $webuser$ index, action |search user=$webuser$</query> <earliest>$webtime.earliest$</earliest> <latest>$webtime.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row> </dashboard>       ... View more