A form was created using simple XML containing two components as two text boxes named as Filename and Status.When the search button is clicked the values given in the textboxes get replaced in the search as follows
"Base search query"|search Filename=$filename$ Status=$status$
and the result was got displaying the record that has both filename and status.I want the search to run with the minimal information given displaying the same results as when complete information given.For example Among the two textboxes,when only filename or status is given, the search should give the same results as when both filename and status are given.
I tried giving the search as
"Base search query"|search Filename=$filename OR Status=$status$
But when only Filename was given in the form leaving the Status field blank,the error was displayed as
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side.
Can anyone say reason for the error and any alternative way to acheive this requirement
I hope that I anderstand what you want to do!
I think you have to set the default values of $filename$ and $status$ to *, so if you want to search only for status and accept all fielnames it would look like this:
"Base search query"|search Filename=* AND Status=$status$"
Furthermore you can put your filters in your main search before you use a |search...
The reson for the error is that splunk does not accept a blank value after an "field =" filter. You can set a value or you can use * to disable the filter/to search for all. But a better possibility is to use the tag not just for the value you want to filter for, but use the tag for a complete part of a search like this:
"Base search query"|search $filename$ AND $status$"
For this example $filename$ has to be set to "Filename=*"
and $status$ to "Status=value_you_want_to_filter_for"
In the xml structure you can use
to handle this problems.