I have the following searchTemplate launched in a simple-xmlstrong text form (still splunk 5):
sourcetype=postfix_syslog AND NOT source=/var/log/notmylog [ search to=$to$ | table queue_id ] | transaction queue_id maxspan=6m | search $to$ | table ...
Token $to$ contains an email address as typed by the operator, firstname.lastname@example.org. I need to alter the user input so that the searchTemplate will look for email@example.com (or, in another case, *firstname.lastname@example.org).
I can alter the string with a rex (as an exercise, as a result of another search with rex field=to mode=sed "s/@/*@/", but that works in results), but I haven't been able to do it in my template and its subsearch. Mind that the token $to$ is used twice in the search.
If you mean running "sourcetype=... [ where like(to,replace($to$,"@","%@)) | table ..." nope, it doesn't work. I get no results and Inspect doesn't show a translated $to$. I also tried outside the form, just in the search window, without success. Moreover I would need a second replacement further down in the search.
I will ask the user to type localpart and domain as two separate fields, then concatenate both fields as $localpart$."*@".$domain$.
Try this (if still required)
sourcetype=postfix_syslog AND NOT source=/var/log/notmylog [ search [|stats count| eval to=$to$ | rex field=to mode=sed "s/@/*@/" | table to] | table queue_id ] | transaction queue_id maxspan=6m | search [|stats count| eval search=$to$ | rex field=search mode=sed "s/@/*@/" | table search] | table ...
THAT'S IT! Nested subsearch with a clever trick. I only needed to add double quotes to the eval: ... eval to="$to" ... otherwise it complains of the @ symbol.