Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Process User input before search

jpenetra
Explorer
‎12-02-2013 02:07 AM

Hello,

I'd like to know if there's any possibility to process the user input before executing a search but without harming the performance. At the moment I have this two text inputs:

{% textinput id="originatorKey" value="$originatorKey$"|token_safe %}

{% textinput id="recipientKey" value="$recipientKey$"|token_safe %}

Now imagine the user inputs me@example.com as the originator and leaves the recipient empty. I want to search for every email sent from me@example.com.

The first idea that I had to make this work was with something like this:

{% searchmanager id="search1" search='index=testindex | eval orig="$originatorKey$" | eval recipient="$recipientKey$" | search ... ' %}

Perhaps using a where clause as well as len to determine if the origin or the recipient should be included or not. But I don't want to follow this path. By using search='index=testindex' the whole index is fetched and this takes a long long time.

Then I thought about this one:

search='index=testindex origin="$originatorKey$" OR recipient="$recipientKey$" | where ((len("$originatorKey$") > 0 AND origin="$originatorKey$") OR len("$originatorKey$")==0) AND ((len("$recipientKey$") > 0 AND recipient="$recipientKey$") OR len("$recipientKey$")==0)'

But it would be better if I could determine beforehand if I need to search for the origin and the recipient or just one of them.

Is this possible?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 11:26 PM

Why not set a default for the input fields of * and use this search?

search='index=testindex origin="$originatorKey$" recipient="$recipientKey$"'

That way, if the user leaves one field empty, you will search for * instead, which seems much easier. Using your example, imagine the user inputs me@example.com as the originator and leaves the recipient empty. The search template would parse to

search='index=testindex origin="me@examplecom" recipient="*"'

which should find every email sent from me@example.com

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-02-2013 11:26 PM

Why not set a default for the input fields of * and use this search?

search='index=testindex origin="$originatorKey$" recipient="$recipientKey$"'

That way, if the user leaves one field empty, you will search for * instead, which seems much easier. Using your example, imagine the user inputs me@example.com as the originator and leaves the recipient empty. The search template would parse to

search='index=testindex origin="me@examplecom" recipient="*"'

which should find every email sent from me@example.com

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...