Getting Data In
Highlighted

Form with a multi-line text box that will OR every line it is given.

Communicator

I want to have a text box where a user can paste a list of items and then have each line be treated as an OR argument.

For Example:
User puts the following in a text box(Token=status):

400
403
404

The form has the following search in it: search index=httplogs status=$status$

Then hit search and the following search executes: search index=httplogs status=400 OR status=403 OR status=404

Is this possible?

Thanks

Tags (4)
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

SplunkTrust
SplunkTrust

Have you considered using a multi-line Pulldown from sideview utils? That would also save your users from knowing available values.

0 Karma
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

Communicator

No because today they might search for 400,403,404, but tomorrow for 1223,456,901. We do not know what they will be looking for, but we know what field to look in.

0 Karma
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

Legend

As far as I know there's no such multi-line textbox available. You could solve this in other ways, but if your requirement is that the textbox needs to be multiline you're out of luck.

UPDATE: I've been digging through my previous splunkbase answers because I'm pretty sure I wrote up a solution on this, but I'm unable to find it. Anyway the idea was that given a textbox with comma delimited values, this would be expanded to an OR separated list. So, let's say the user-provided input (the comma-delimited list of terms) is available in the variable $status$. Enter this into a query using a subsearch, expand the list into a multivalued field using makemv and voilà, this should expand into what you want.

youroutersearch [search * | head 1 | eval status="$status$" | makemv delim="," status | fields status]

(the search + head commands at the beginning of the subsearch is just to get one event so that eval can do its thing. You could use other commands like gentimes if you don't want to perform a search operation for this)

So, what happens is the user inputs for example "400,403,404" in the input field. This is put into the variable status by eval, then expanded into a multivalued field holding by makemv, then finally the subsearch returns, performing an OR operation between the terms so that the subsearch is expanded to

youroutersearch ((( status="400" OR status="403" OR status="404" )))

View solution in original post

Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

Communicator

Is there a way to do it without having a multi-line form. I just want the user to paste and search, but sometimes they might search for more then one value depending on what they copied.

0 Karma
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

Legend

Updated my answer. Let me know if this works 🙂

0 Karma
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

Communicator

Awesome! I changed the delim to a blank space instead of a comma so the user does not have to worry about pasting a comma-delimited list.

0 Karma
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

SplunkTrust
SplunkTrust

You could populate the Pulldown dynamically with every value the field can take, based on the events loaded into splunk. Anything else typed by the users would not yield results anyway.

0 Karma
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

Communicator

Too many values to do this.

0 Karma
Highlighted

Re: Form with a multi-line text box that will OR every line it is given.

Splunk Employee
Splunk Employee

Unfortunately, the form search modules in "vanilla" Splunk do not provide an option to assemble the terms provided by the user into a "TERM1 OR TERM2 OR TERM3" expression.

You would have to write your own module to perform this task.

0 Karma