All Apps and Add-ons
Highlighted

Multiple OR tokens in a simple form not working as expected

Champion

I have the following configured form which gives me 4 text boxes. I would like to be able to enter a value for 1 or more of these text boxes to search on.

 <searchTemplate>$duser$ OR $suser$ OR $src$ OR $dst$  | head 100 | table _time duser suser src dst</searchTemplate>

  <fieldset>

      <input type="text" token="duser">
        <label>AppleConnect Dest User</label>
        <default></default>
          <prefix>duser=</prefix>
        <suffix>*</suffix>
      </input>

      <input type="text" token="suser">
        <label>AppleConnect Source User</label>
        <default></default>
          <prefix>suser=</prefix>
          <suffix>*</suffix>
      </input>

       <input type="text" token="src">
        <label>Source IP</label>
        <default></default>
           <prefix>src=</prefix>
      </input>

       <input type="text" token="dst">
        <label>Destination IP</label>
        <default></default>
          <prefix>dst=</prefix>
        <suffix></suffix>
      </input>

etc.

If I only enter a value for 1 token, the search does not work as expected. The resulting search looks like this:

"  OR suser=test OR  OR    | head 100  | table _time duser suser src dot "

What am I doing wrong?

0 Karma
Highlighted

Re: Multiple OR tokens in a simple form not working as expected

SplunkTrust
SplunkTrust

I don't have a Splunk available to test, but here's a generic thought: Prefix your search with a term that is never true (e.g. foo=bar), and include the OR in each input's prefix.

If you enter nothing in any field you should get this:

foo=bar | ...

If you fill one field you should get this:

foo=bar OR suser=something | ...

If you fill more than one field you just add more " OR field=value" to that, maintaining syntactic correctness.

0 Karma