on a dashboard and searchTemplate

asarolkar · ‎06-07-2012

I have one user interactive input from a < form > that needs to go to two searches - wherever it gets a match must display in the form of a table.

I have created a dashboard and can pass in an ID using < searchTemplate> and < fieldset > - basically I pass a token by the name of $ID$ into the search inside the searchTemplate.

However searchTemplate only ever takes in one search - for me there's TWO sourcetypes - if I cannot get this id from Sourcetype A I need to be able to look in Sourcetype B - how would I accomplish that in one form using ONE actual search entry into < searchTemplate> ?

Something like this ---->

< searchtemplate >

sourcetype="A" idInTableA="$ID$"

sourcetype="B" idInTableB="$ID$"

< /searchtemplate >

Any ideas so as to the most sensible way to go about this ?

asarolkar · ‎06-07-2012

That by the way, did not work.

Splunk errors out saying it is unable to parse the search

gkanapathy · ‎06-07-2012

(sourcetype=A idInTableA="$ID$") OR (sourcetype=B idInTableB="$ID$")

?

on a dashboard and searchTemplate

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

on a dashboard and searchTemplate

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!