Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Expand XML created variable to search

vagnet
Explorer
‎10-12-2021 04:57 AM

Hi Splunkers,

 

Hopefully I am posting on the correct place, apologies if not!

I have the following code/SPL from inside the XML form. It looks inside a lookup, and then gives information about a specific field (field name taken from variable "FieldName") which matches the value of SearchString (value taken from variable "SearchString").

 

| inputlookup $lookup_name$
| search $FieldName$=$SearchString$

 

Those experienced you will see that it doesn't work this way. I am assuming that to make this XML code to work and give me the search result I expect I need to expand the variables?

 

If so, any idea how to do that?

Regards,

vagnet

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2021 07:17 AM

Once I created a dummy IPFile.csv lookup and corrected a typo in the form, it worked for me.

<form script="MyScript.js">
  <label>Testing</label>
  <description>For testing of viewing files and their fields</description>
  <fieldset submitButton="false"></fieldset>
 <row>
    <panel>
      <input type="dropdown" token="lookupFile" searchWhenChanged="true">
        <label>lookup</label>
        <fieldForLabel>lookups</fieldForLabel>
        <fieldForValue>lookups</fieldForValue>
        <search>
          <query>| makeresults
| eval lookups="IPFile.csv,MACFile.csv"
| makemv delim="," lookups
| mvexpand lookups
| table lookups</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </input>
      <input type="dropdown" token="fieldName">
        <label>Select Field to Search</label>
        <fieldForLabel>field</fieldForLabel>
        <fieldForValue>field</fieldForValue>
        <search>
          <query>| inputlookup $lookupFile$
| fieldsummary
| table field</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <default></default>
        <prefix>| search "</prefix>
        <suffix>"</suffix>
        <choice value="">--</choice>
      </input>
      <input type="text" token="searchString" searchWhenChanged="true">
        <label>Free string search</label>
        <default></default>
      </input>
      <table>
        <title>Search in lookup files</title>
        <search>
          <query>| inputlookup $lookupFile$ | search $fieldName$ = "*$searchString$*"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

The fix was to change search FieldName$ = "*$searchString$*" to search $fieldName$ = "*$searchString$*".

richgalloway_0-1634048107541.png

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2021 05:49 AM

Input tokens (assuming that's what you mean by "variable") are expanded automatically.

Please describe the problem you are trying to solve.

Please also share the code for the form.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vagnet
Explorer
‎10-12-2021 06:20 AM

Thanks for the reply @richgalloway .

Your input was very helpful! However, I still cannot run the search described as described above: "| inputlookup $lookupFile$ | search $fieldName$ = $searchString$ "

 

The whole code is found below:

 <form script="MyScript.js">
  <label>Testing</label>
  <description>For testing of viewing files and their fields</description>
  <fieldset submitButton="false"></fieldset>
 <row>
    <panel>
      <input type="dropdown" token="lookupFile" searchWhenChanged="true">
        <label>lookup</label>
        <fieldForLabel>lookups</fieldForLabel>
        <fieldForValue>lookups</fieldForValue>
        <search>
          <query>| makeresults
| eval lookups="IPFile.csv,MACFile.csv"
| makemv delim="," lookups
| mvexpand lookups
| table lookups</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </input>
      <input type="dropdown" token="fieldName">
        <label>Select Field to Search</label>
        <fieldForLabel>field</fieldForLabel>
        <fieldForValue>field</fieldForValue>
        <search>
          <query>| inputlookup $lookupFile$
| fieldsummary
| table field</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <default></default>
        <prefix>| search "</prefix>
        <suffix>"</suffix>
        <choice value="">--</choice>
      </input>
      <input type="text" token="searchString" searchWhenChanged="true">
        <label>Free string search</label>
        <default></default>
      </input>
      <table>
        <title>Search in lookup files</title>
        <search>
          <query>| inputlookup $lookupFile$ | search FieldName$ = "*$searchString$*"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  </form>

 

Regards,

vagnet

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2021 07:17 AM

Once I created a dummy IPFile.csv lookup and corrected a typo in the form, it worked for me.

<form script="MyScript.js">
  <label>Testing</label>
  <description>For testing of viewing files and their fields</description>
  <fieldset submitButton="false"></fieldset>
 <row>
    <panel>
      <input type="dropdown" token="lookupFile" searchWhenChanged="true">
        <label>lookup</label>
        <fieldForLabel>lookups</fieldForLabel>
        <fieldForValue>lookups</fieldForValue>
        <search>
          <query>| makeresults
| eval lookups="IPFile.csv,MACFile.csv"
| makemv delim="," lookups
| mvexpand lookups
| table lookups</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
      </input>
      <input type="dropdown" token="fieldName">
        <label>Select Field to Search</label>
        <fieldForLabel>field</fieldForLabel>
        <fieldForValue>field</fieldForValue>
        <search>
          <query>| inputlookup $lookupFile$
| fieldsummary
| table field</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <default></default>
        <prefix>| search "</prefix>
        <suffix>"</suffix>
        <choice value="">--</choice>
      </input>
      <input type="text" token="searchString" searchWhenChanged="true">
        <label>Free string search</label>
        <default></default>
      </input>
      <table>
        <title>Search in lookup files</title>
        <search>
          <query>| inputlookup $lookupFile$ | search $fieldName$ = "*$searchString$*"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

The fix was to change search FieldName$ = "*$searchString$*" to search $fieldName$ = "*$searchString$*".

richgalloway_0-1634048107541.png

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...