How do you search on a form token that has a value...

cphair · ‎07-18-2014

Hello. I know variants of this question have been asked before, but I haven't found a solution for my specific case. I have a form that accepts a text value for a user and passes it to the search as a parameter (user="$user$"). Mostly this works fine, but in a few cases the user value is enclosed in quotes (e.g. "someaccount" instead of someaccount). If I pass user="someaccount" to the search, it doesn't match because it ignores the quotes. I would like to run this through a macro that fixes the quote situation, but I can't find one that works. The closest I got was user=`foo("someaccount")` where foo was an eval-based macro: replace("$token$", "([\"])", "\\\\\1"). I don't want to have to use *useraccount* to match "useraccount", and I don't want to use rex later in the search because I want to filter on the user field in the base query. Is there a way to make the macro work?

P.S. I can't use Sideview for this dashboard, and anyway I would like a solution that works from the search bar too.

somesoni2 · ‎07-18-2014

Where are this token used, in the base search as a filter or in an eval statement.

Take a look at this runanywhere example.

|gentimes start=-1 | eval user="somesh \"somesh\"" | table user| makemv user | mvexpand user | eval isPresent=if(match(user,"(\")*"."somesh"."(\")*"),1,0)

You can put this match statement in your macro.

Update

If the value of the $user$ can only be "user" or "\"user\"", the you can try this in base search

index=yourIndex sourcetype=yoursourcetype (user="$user$" OR user="\"$user$\"") ... | rest of the search

cphair · ‎07-18-2014

Base search. That's why it's complicated. I can get it to work with a later eval, but not in the base search.

How do you search on a form token that has a value enclosed in double quotes?

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way