Splunk Search

Clarification on the search in Form


A form was created using simple XML containing two components as two text boxes named as Filename and Status.When the search button is clicked the values given in the textboxes get replaced in the search as follows

"Base search query"|search Filename=$filename$ Status=$status$

and the result was got displaying the record that has both filename and status.I want the search to run with the minimal information given displaying the same results as when complete information given.For example Among the two textboxes,when only filename or status is given, the search should give the same results as when both filename and status are given.

I tried giving the search as

"Base search query"|search Filename=$filename OR Status=$status$

But when only Filename was given in the form leaving the Status field blank,the error was displayed as

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side.

Can anyone say reason for the error and any alternative way to acheive this requirement

Tags (1)
0 Karma



I hope that I anderstand what you want to do!
I think you have to set the default values of $filename$ and $status$ to *, so if you want to search only for status and accept all fielnames it would look like this:

"Base search query"|search Filename=* AND Status=$status$"

Furthermore you can put your filters in your main search before you use a |search...


0 Karma


The reson for the error is that splunk does not accept a blank value after an "field =" filter. You can set a value or you can use * to disable the filter/to search for all. But a better possibility is to use the tag not just for the value you want to filter for, but use the tag for a complete part of a search like this:

"Base search query"|search $filename$ AND $status$"

For this example $filename$ has to be set to "Filename=*"
and $status$ to "Status=value_you_want_to_filter_for"
In the xml structure you can use and
to handle this problems.


0 Karma

Path Finder

Thanks...Can you explain the reason for the error that i stated above

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...