Based on form input (e.g. the state of multiple checkboxes) I would like to build a search query comprised of multiple OR clauses.
Given 3 checkboxes: "USA", "Canada", "Mexico", I'd like to dynamically build a query that contains any of the above countries, like so:
source="abc" country="USA" OR country="Canada" OR country="Mexico"
If, for example, the "Canada"checkbox is unchecked, the country's name will be omitted from the search query, like so:
source="abc" country="USA" OR country="Mexico"
What would be the correct mechanism to use to achieve this functionality?
When no checkbox is checked - is the search supposed to return all countries or nothing?
Note, here's a similar question asked recently: http://answers.splunk.com/answers/116083/multiple-or-tokens-in-a-simple-form-not-working-as-expected
Then you can do the same thing as I suggested in the linked question - start with a neutral term that matches nothing, and append "OR country=value" for each checkbox.