Hi all,
I am trying to include the contents of a form field into an AND search clause only if the form field is not null.
So, say there are three input fields: field1, field2, and field3.
If the user enters stuff into field1 and field3, I want to search:
index=stuff search1=field1 AND search3=field3
But my search looks like this:
index=stuff search1=field1 AND search2=field2 AND search3=field3
So, the example search will return no results because search2 does not equal ""
Is there a way I use eval isnotnull() to remove a field from my search string if the user doesn't enter anything?
There are at least two ways around this:
The best is to use prefix
and suffix
values in your form field. In simple XML, this would look like:
<input type="text" token="field3">
<prefix>search3="</prefix>
<suffix>"</suffix>
</input>
and your searchTemplate could look like:
search1=$field1$ search2=$field2 $field3$
This method will only include $field3$ if the user typed a value at all. The other method would be to set a default:
<input type="text" token="field3">
<default>*</default>
</input>
and searchTemplate:
search1=$field1$ search2=$field2$ search3=$field$
This actually behaves slightly differently as it requires that search3
must have some value, while the previous will return results where search3
is not set at all.
That was the answer I was looking for:
in Splunk 6, for the first method to work, you'll need to include a blank
<default></default>
Had some strange behaviour in my dashboards, because I used to make an "optional" search for a keyword appended to the base search (| search $something$
) - and by default, splunk <6 omitted an empty input. Now the mentioned statement brings back this behaviour - thanks for the hint 🙂
That is pure magic! looked for this for so much time! thanks.
Actually from all other discussions in Splunk answers, it seems like there is no way to set empty token in search.
Apparently it works.
There are at least two ways around this:
The best is to use prefix
and suffix
values in your form field. In simple XML, this would look like:
<input type="text" token="field3">
<prefix>search3="</prefix>
<suffix>"</suffix>
</input>
and your searchTemplate could look like:
search1=$field1$ search2=$field2 $field3$
This method will only include $field3$ if the user typed a value at all. The other method would be to set a default:
<input type="text" token="field3">
<default>*</default>
</input>
and searchTemplate:
search1=$field1$ search2=$field2$ search3=$field$
This actually behaves slightly differently as it requires that search3
must have some value, while the previous will return results where search3
is not set at all.
Years later this still helped me resolve an issue where I needed an if statement against a search rather than storing a result in an eval. The only difference is in Splunk 6, for the first method to work, you'll need to include a blank
To elaborate further, I have a form that populates a dropdown menu with a lookup table. The lookup table stores a search as the value for each dropdown entry. The dashboard serves the purpose of updating, deleting and adding new entries. Using prefix & suffix let me ignore form fields thus deleting lookup table entries instead of adding.
I think that the former is working. It became more complicated because I made the operator (and/or) a variable too, but I did:
and it worked!
Maybe something like this eval newfield = if(field == "", "*", field) | search1=newfield
?
Hmm,
So I am now doing:
index=stuff | eval newfield = if(field1 == "", "*", field1) | index=stuff (search1=newfield OR search2=field2)
But this throws a failhandler error.