topic Re: Search Keywords with search button in Splunk Search

Search Keywords with search button

ASR1022 — Wed, 19 Apr 2023 14:01:20 GMT

I am currently working on a search dashboard. I have the dashboard created and the search (Submit Button). In this search I am looking at the messaging portion of our firewall logs. When I submit a search I have to put in the whole message example "Interface G1 Link is up".

What I am trying to do is search for keywords like Interface, G1, link is up, link is down.

Any info would be great.

Re: Search Keywords with search button

somesoni2 — Wed, 19 Apr 2023 14:16:04 GMT

When you open the search from your dashboard (after clicking on the little magnifying glass icon when you mouse hover the table/visualization), when search you get and what it should be? Are you using a text box to search for keywords? Should those keywords be used with 'OR' conjunction or 'AND'?

Re: Search Keywords with search button

ASR1022 — Wed, 19 Apr 2023 15:02:17 GMT

This is the search syntax:

<label>Message/Note Search</label>
<fieldset autoRun="false" submitButton="true">
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="sourcetype" searchWhenChanged="false">
<label>Sourcetype</label>
<choice value="*">All</choice>
<default>*</default>
<populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
<![CDATA[|metadata type=sourcetypes index=netfw | stats count by sourcetype]]>
</populatingSearch>
</input>
<input type="text" token="*">
<label>Message/Note</label>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Source IP Search Results</title>
<search>
<query>index=scfw sourcetype="$sourcetype$" (msg="$*$" OR note="$*$")</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>

Re: Search Keywords with search button

somesoni2 — Wed, 19 Apr 2023 17:59:59 GMT

Give this a try

<label>Message/Note Search</label> <fieldset autoRun="false" submitButton="true"> <input type="time" token="field1"> <label>Time</label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="sourcetype" searchWhenChanged="false"> <label>Sourcetype</label> <choice value="*">All</choice> <default>*</default> <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype"> <![CDATA[|metadata type=sourcetypes index=netfw | stats count by sourcetype]]> </populatingSearch> </input> <input type="text" token="keywords"> <label>Message/Note</label> </input> </fieldset> <row> <panel> <table> <title>Source IP Search Results</title> <search> <query>index=scfw sourcetype="$sourcetype$" (msg="*$keywords$*" OR note="*$keywords$*")</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search>

With this, you would be able to specify a single keyword OR portion of the string you're searching. (e.g. set the 'Message/Notes' textbox value to just 'G1' OR just 'Interface'.

Re: Search Keywords with search button

ASR1022 — Wed, 19 Apr 2023 18:27:52 GMT

That worked for me somesoni2.

Thanks for your help!