I want to have a text box where a user can paste a list of items and then have each line be treated as an OR argument.
User puts the following in a text box(Token=status):
400 403 404
The form has the following search in it:
search index=httplogs status=$status$
Then hit search and the following search executes:
search index=httplogs status=400 OR status=403 OR status=404
Is this possible?
Have you considered using a multi-line Pulldown from sideview utils? That would also save your users from knowing available values.
No because today they might search for 400,403,404, but tomorrow for 1223,456,901. We do not know what they will be looking for, but we know what field to look in.
As far as I know there's no such multi-line textbox available. You could solve this in other ways, but if your requirement is that the textbox needs to be multiline you're out of luck.
UPDATE: I've been digging through my previous splunkbase answers because I'm pretty sure I wrote up a solution on this, but I'm unable to find it. Anyway the idea was that given a textbox with comma delimited values, this would be expanded to an OR separated list. So, let's say the user-provided input (the comma-delimited list of terms) is available in the variable
$status$. Enter this into a query using a subsearch, expand the list into a multivalued field using
makemv and voilà, this should expand into what you want.
youroutersearch [search * | head 1 | eval status="$status$" | makemv delim="," status | fields status]
(the search + head commands at the beginning of the subsearch is just to get one event so that
eval can do its thing. You could use other commands like
gentimes if you don't want to perform a search operation for this)
So, what happens is the user inputs for example "400,403,404" in the input field. This is put into the variable
eval, then expanded into a multivalued field holding by
makemv, then finally the subsearch returns, performing an OR operation between the terms so that the subsearch is expanded to
youroutersearch ((( status="400" OR status="403" OR status="404" )))
Is there a way to do it without having a multi-line form. I just want the user to paste and search, but sometimes they might search for more then one value depending on what they copied.
Awesome! I changed the delim to a blank space instead of a comma so the user does not have to worry about pasting a comma-delimited list.
You could populate the Pulldown dynamically with every value the field can take, based on the events loaded into splunk. Anything else typed by the users would not yield results anyway.
Unfortunately, the form search modules in "vanilla" Splunk do not provide an option to assemble the terms provided by the user into a "TERM1 OR TERM2 OR TERM3" expression.
You would have to write your own module to perform this task.