Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Process User input before search

jpenetra
Explorer
‎12-02-2013 02:07 AM

Hello,

I'd like to know if there's any possibility to process the user input before executing a search but without harming the performance. At the moment I have this two text inputs:

{% textinput id="originatorKey" value="$originatorKey$"|token_safe %}

{% textinput id="recipientKey" value="$recipientKey$"|token_safe %}

Now imagine the user inputs me@example.com as the originator and leaves the recipient empty. I want to search for every email sent from me@example.com.

The first idea that I had to make this work was with something like this:

{% searchmanager id="search1" search='index=testindex | eval orig="$originatorKey$" | eval recipient="$recipientKey$" | search ... ' %}

Perhaps using a where clause as well as len to determine if the origin or the recipient should be included or not. But I don't want to follow this path. By using search='index=testindex' the whole index is fetched and this takes a long long time.

Then I thought about this one:

search='index=testindex origin="$originatorKey$" OR recipient="$recipientKey$" | where ((len("$originatorKey$") > 0 AND origin="$originatorKey$") OR len("$originatorKey$")==0) AND ((len("$recipientKey$") > 0 AND recipient="$recipientKey$") OR len("$recipientKey$")==0)'

But it would be better if I could determine beforehand if I need to search for the origin and the recipient or just one of them.

Is this possible?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 11:26 PM

Why not set a default for the input fields of * and use this search?

search='index=testindex origin="$originatorKey$" recipient="$recipientKey$"'

That way, if the user leaves one field empty, you will search for * instead, which seems much easier. Using your example, imagine the user inputs me@example.com as the originator and leaves the recipient empty. The search template would parse to

search='index=testindex origin="me@examplecom" recipient="*"'

which should find every email sent from me@example.com

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 11:26 PM

Why not set a default for the input fields of * and use this search?

search='index=testindex origin="$originatorKey$" recipient="$recipientKey$"'

That way, if the user leaves one field empty, you will search for * instead, which seems much easier. Using your example, imagine the user inputs me@example.com as the originator and leaves the recipient empty. The search template would parse to

search='index=testindex origin="me@examplecom" recipient="*"'

which should find every email sent from me@example.com

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...