Using form input to search for multiple token vari...

stevegadd · ‎12-29-2017

I have a basic dropdown in a form where we are searching for a user name in First Name Last Name format. I want to be able to take that token and use it in searches with multiple variations. An example is : index=foo search user="First Name Last Name" OR user="First Name.LastName".

Any help appreciated!

akocak · ‎12-29-2017

if you know dropdown format, you can achieve this in search like: (Let's say there is a space between)

    index=foo.. | eval mval=$token$| rex field=mval "^(?<firstname>\w+)\s(?<lastname>\w+)$"
    | search (user=mval OR user=firstname.".".lastname

Having 'user=' in first pipe next to index would be more optimized. However, it would require some tweaking in Dashboard XML or Macro.

Macro:
you need to create a macro that takes only one parameter (your token), and returns a string like:
(user="fname lname" OR user=fname.lname)
Ex:

[| makeresults | eval mval=$param$
| rex field=mval "^(?<fname>\w+)\s(?<lname>\w+)$" 
| eval search = "(user=".fname," ".lname." OR user=".fname.".".lname.")" 
| return $search]

Then you can call it in your search as:

index=foo 'mymacro($token$)'

XML:
I couldn't think of a way now using 'change' or 'set' tags. however, I am sure there are ways. I am sure somesoni will explain this part 🙂

Using form input to search for multiple token variations

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation