In my form, I'm trying to search on a value that might be in two places. The value is derived from a token. The issue is that one of the places, the token value is the whole field, and in another, it's a part of the field. So the first part ( | search patid = $pat1$) works, but the second part ( | search patid=$pat1$) doesn't work because it puts quotes in (evaluates as | search patid="5379345"). Obviously I'm clueless, can someone point me in the right direction?
@gregbo while posting the code use the code button i.e.
101010 or shortcut key
Ctrl+K. You might have to add more details from your code/data around your issue. Like what is the code for setting the
patid token. What is the query where first
$patid$ is set and used for search filter? and what is the query where second $patid$ is set for search filter. What is the value you want to use in both the places?
Can you try Token escape character i.e.
|s to escape token value as string
| search patid=$patid|s$
| search patid=*$patid|s$*
Or may be use double quotes around existing token filter:
| search patid="$patid$"
| search patid="*$patid$*"
Please add the details as requested if your issue is not resolved!
I couldn't get the suggested methods to work (probably I'm doing something else wrong), but I managed to get what I needed by using a rex to pull the value out of the second field and then do a search like so:
| rex field=altpat "\w^\w^\w^\w^\w~(?
| search (patid = $patid$) OR (altpatid = $patid$)
@gregbo requesting you to accept your own answer to mark this question as answered. Also while posting code use
Code button on Splunk Answers i.e.
101010 or Shortcut
Ctrl+K, so that special character does not escape.