Splunk Search
Highlighted

Alter user-input token in Simple XML form, used in subsearch

Path Finder

Hello.
I have the following searchTemplate launched in a simple-xmlstrong text form (still splunk 5):

sourcetype=postfix_syslog AND NOT source=/var/log/notmylog [ search to=$to$ | table queue_id ] | transaction queue_id maxspan=6m | search $to$ | table ...

Token $to$ contains an email address as typed by the operator, me@example.com. I need to alter the user input so that the searchTemplate will look for me*@example.com (or, in another case, *me@example.com).

I can alter the string with a rex (as an exercise, as a result of another search with rex field=to mode=sed "s/@/*@/", but that works in results), but I haven't been able to do it in my template and its subsearch. Mind that the token $to$ is used twice in the search.

Help.

0 Karma
Highlighted

Re: Alter user-input token in Simple XML form, used in subsearch

SplunkTrust
SplunkTrust

How about replacing "search to=$to$" with "where like(to,replace($to$,"@","%@))"?

0 Karma
Highlighted

Re: Alter user-input token in Simple XML form, used in subsearch

Path Finder

If you mean running "sourcetype=... [ where like(to,replace($to$,"@","%@)) | table ..." nope, it doesn't work. I get no results and Inspect doesn't show a translated $to$. I also tried outside the form, just in the search window, without success. Moreover I would need a second replacement further down in the search.

I will ask the user to type localpart and domain as two separate fields, then concatenate both fields as $localpart$."*@".$domain$.

0 Karma
Highlighted

Re: Alter user-input token in Simple XML form, used in subsearch

SplunkTrust
SplunkTrust

Try this (if still required)

sourcetype=postfix_syslog AND NOT source=/var/log/notmylog [ search [|stats count| eval to=$to$ | rex field=to mode=sed "s/@/*@/" | table to] | table queue_id ] | transaction queue_id maxspan=6m | search [|stats count| eval search=$to$ | rex field=search mode=sed "s/@/*@/" | table search] | table ...

View solution in original post

Highlighted

Re: Alter user-input token in Simple XML form, used in subsearch

Path Finder

THAT'S IT! Nested subsearch with a clever trick. I only needed to add double quotes to the eval: ... eval to="$to" ... otherwise it complains of the @ symbol.

0 Karma