Hello. I know variants of this question have been asked before, but I haven't found a solution for my specific case. I have a form that accepts a text value for a user and passes it to the search as a parameter (user="$user$"). Mostly this works fine, but in a few cases the user value is enclosed in quotes (e.g. "someaccount" instead of someaccount). If I pass user="someaccount" to the search, it doesn't match because it ignores the quotes. I would like to run this through a macro that fixes the quote situation, but I can't find one that works. The closest I got was user=`foo("someaccount")` where foo was an eval-based macro: replace("$token$", "([\"])", "\\\\\1"). I don't want to have to use *useraccount* to match "useraccount", and I don't want to use rex later in the search because I want to filter on the user field in the base query. Is there a way to make the macro work?
P.S. I can't use Sideview for this dashboard, and anyway I would like a solution that works from the search bar too.
Where are this token used, in the base search as a filter or in an eval statement.
Take a look at this runanywhere example.
|gentimes start=-1 | eval user="somesh \"somesh\"" | table user| makemv user | mvexpand user | eval isPresent=if(match(user,"(\")*"."somesh"."(\")*"),1,0)
You can put this match statement in your macro.
If the value of the $user$ can only be "user" or "\"user\"", the you can try this in base search
index=yourIndex sourcetype=yoursourcetype (user="$user$" OR user="\"$user$\"") ... | rest of the search
Base search. That's why it's complicated. I can get it to work with a later eval, but not in the base search.