Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Process User input before search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'd like to know if there's any possibility to process the user input before executing a search but without harming the performance. At the moment I have this two text inputs:
{% textinput id="originatorKey" value="$originatorKey$"|token_safe %}
{% textinput id="recipientKey" value="$recipientKey$"|token_safe %}
Now imagine the user inputs me@example.com as the originator and leaves the recipient empty. I want to search for every email sent from me@example.com.
The first idea that I had to make this work was with something like this:
{% searchmanager id="search1" search='index=testindex | eval orig="$originatorKey$" | eval recipient="$recipientKey$" | search ... ' %}
Perhaps using a where clause as well as len to determine if the origin or the recipient should be included or not. But I don't want to follow this path. By using search='index=testindex' the whole index is fetched and this takes a long long time.
Then I thought about this one:
search='index=testindex origin="$originatorKey$" OR recipient="$recipientKey$" | where ((len("$originatorKey$") > 0 AND origin="$originatorKey$") OR len("$originatorKey$")==0) AND ((len("$recipientKey$") > 0 AND recipient="$recipientKey$") OR len("$recipientKey$")==0)'
But it would be better if I could determine beforehand if I need to search for the origin and the recipient or just one of them.
Is this possible?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not set a default for the input fields of * and use this search?
search='index=testindex origin="$originatorKey$" recipient="$recipientKey$"'
That way, if the user leaves one field empty, you will search for * instead, which seems much easier. Using your example, imagine the user inputs me@example.com as the originator and leaves the recipient empty. The search template would parse to
search='index=testindex origin="me@examplecom" recipient="*"'
which should find every email sent from me@example.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not set a default for the input fields of * and use this search?
search='index=testindex origin="$originatorKey$" recipient="$recipientKey$"'
That way, if the user leaves one field empty, you will search for * instead, which seems much easier. Using your example, imagine the user inputs me@example.com as the originator and leaves the recipient empty. The search template would parse to
search='index=testindex origin="me@examplecom" recipient="*"'
which should find every email sent from me@example.com
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
