https://community.splunk.com/t5/Splunk-Search/Use-variable-as-complete-search-string/m-p/704680#M238726 <P>I am trying to create a dashboard. It has two input text fields.<BR />I want to run a search query based on these two inputs.<BR /><BR />If input A is null AND input B is null then no search results<BR />If input A is not null AND input B is null then search using only A<BR />If input A is null AND input B is not null then search using only B</P><P>If input A is null AND input B is not null then search using both A and B<BR /><BR />Following is my query. It returns no results&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Properties.application="xyz.api" | spath Level | search Level!=Verbose AND Level!=Debug | eval search_condition_fnum=if(len(trim("$text_fnum$"))=0 OR isnull("$text_fnum$"), "", "RenderedMessage=\"*$text_fnum$*\"") | eval search_condition_fdate=if(len(trim("$text_fdate$"))=0 OR isnull("$text_fdate$"), "", "RenderedMessage=\"*$text_fdate$*\"") | eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | table search_condition_fnum, search_condition_fdate, combined_search_condition | search [| makeresults | eval search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | fields search_condition]</LI-CODE><P>&nbsp;</P><P><BR /><BR /></P> Mon, 18 Nov 2024 21:36:55 GMT ameyad 2024-11-18T21:36:55Z https://community.splunk.com/t5/Splunk-Search/Use-variable-as-complete-search-string/m-p/704680#M238726 <P>I am trying to create a dashboard. It has two input text fields.<BR />I want to run a search query based on these two inputs.<BR /><BR />If input A is null AND input B is null then no search results<BR />If input A is not null AND input B is null then search using only A<BR />If input A is null AND input B is not null then search using only B</P><P>If input A is null AND input B is not null then search using both A and B<BR /><BR />Following is my query. It returns no results&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Properties.application="xyz.api" | spath Level | search Level!=Verbose AND Level!=Debug | eval search_condition_fnum=if(len(trim("$text_fnum$"))=0 OR isnull("$text_fnum$"), "", "RenderedMessage=\"*$text_fnum$*\"") | eval search_condition_fdate=if(len(trim("$text_fdate$"))=0 OR isnull("$text_fdate$"), "", "RenderedMessage=\"*$text_fdate$*\"") | eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | table search_condition_fnum, search_condition_fdate, combined_search_condition | search [| makeresults | eval search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | fields search_condition]</LI-CODE><P>&nbsp;</P><P><BR /><BR /></P> Mon, 18 Nov 2024 21:36:55 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-as-complete-search-string/m-p/704680#M238726 ameyad 2024-11-18T21:36:55Z https://community.splunk.com/t5/Splunk-Search/Use-variable-as-complete-search-string/m-p/704681#M238727 <P>It appears to me that you are overthinking the search language. &nbsp;Assuming that RenderedMessage is already extracted (as is implied in your illustrated code), you can use</P><LI-CODE lang="markup">roperties.application="xyz.api" (RenderedMessage="*$text_fnum$*" AND RenderedMessage="*$text_fdate$*") | spath Level | search Level!=Verbose AND Level!=Debug | eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ")</LI-CODE><P>If you run this on paper, you will see that the wildcards will cause the search to behave as you described.</P> Mon, 18 Nov 2024 22:43:48 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-as-complete-search-string/m-p/704681#M238727 yuanliu 2024-11-18T22:43:48Z