Hello,

I'm trying to create a dashboard for our email logs, that allows a user to input fields like sender, recipient, subject, and attachment name and return an output of results. However, one email is represented by 15 different logs. To get around this, we perform a subsearch that only contains one criteria, perform transaction after that, and add additional criteria in a search after the transaction. internal_message_id is a relatively unique GUID used to identify all 15 of the logs that make up one message, and the sender, recipient, subject etc are all in different logs.

This problem has been covered pretty well in this article: webfactory.de/blog/splunk-subsearch-transaction-qmail-deliveries

So for example, when I run a search for the following criteria:
recipient="me@example.com"
subject="Your invoice has been sent for processing"

I'd actually run the following in Splunk:

index=mail
[ search index=mail
recipient="me@example.com"
| fields internal_message_id]
| transaction internal_message_id
| search subject="Your invoice has been sent for processing"

Now comes my problem when trying to translate this into a dashboard. I have 5 fields that allow user input, and the search works fine when only one criteria is supplied, but I need a way to basically move all subsequent criteria to the search after the transaction. I won't know necessarily which field a user decides to supply, but hopefully they'll have to supply one or more. I likewise cannot leave the internal search blank and transact all mail logs then apply criteria, as the load is too high.

So on my dashboard with the same criteria above, instead of the following:
index=mail
[ search index=mail
recipient="me@example.com" subject="Your invoice has been sent for processing"
| fields internal_message_id]
| transaction internal_message_id

I'd need the search to do this:

index=mail
[ search index=mail
recipient="me@example.com"
| fields internal_message_id]
| transaction internal_message_id
| search subject="Your invoice has been sent for processing"

with subject and recipient interchangeable, for now.
The dashboard will be used by relatively strong Splunk users, so I could also ask them to choose the most efficient subsearch criteria using a radio button or something (IE it'd be better to have the internal search run recipient="me@example.com" if the subject line happened to be subject="Invoice"

I think there is a way to do this using condition match but i'm out of my element at the moment:
docs.splunk.com/Documentation/Splunk/7.2.6/Viz/tokens

<form>
  <label>Email Campaign Investigation</label>
  <fieldset submitButton="true">
    <input type="text" token="sender">
      <label>Sender</label>
      <prefix>sender="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="text" token="recipient">
      <label>Recipient</label>
      <prefix>recipient="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="text" token="subject">
      <label>Subject</label>
      <prefix>subject="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="text" token="file_name">
      <label>Attachment Name</label>
      <prefix>file_name="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="text" token="attachment_type">
      <label>Attachment Type</label>
      <prefix>attachment_type="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>Email Results</title>
        <search>
          <query>index=mail
    [ search index=mail
        $sender$ $recipient$ $subject$ $file_name$ $attachment_type$
    | fields internal_message_id]
| transaction internal_message_id maxspan=10m
</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>