@livehybrid 
The screenshot is working fine. but if  i implement the same for multiple i am not getting result. do i miss anything in below

[| makeresults
| eval text_search="*$text_search$*"
| eval escaped=replace(text_search, "\\", "\\\\")
| eval FileSource=escaped, RemoteHost=escaped, LocalPath=escaped, RemotePath=escaped
| return FileSource RemoteHost LocalPath RemotePath
]

Hi @ganesanvc 

If you do "| return FileSource RemoteHost LocalPath RemotePath" then its going to do an AND statement between these fields in your main search - is this what you want?

If you want an "OR" then I think you might want to do:

[| makeresults
| eval text_search="*$text_search$*"
| eval escaped=replace(text_search, "\\", "\\\\")
| eval FileSource=escaped, RemoteHost=escaped, LocalPath=escaped, RemotePath=escaped
| table FileSource RemoteHost LocalPath RemotePath
| format "(" "(" "OR" ")" "OR" ")"
]

This will create something like:

( ( FileSource="\\\\Test\\\\abc\\\\test\\\\abc\\\\xxx\\\\OUT\\\\" OR LocalPath="\\\\Test\\\\abc\\\\test\\\\abc\\\\xxx\\\\OUT\\\\" OR RemoteHost="\\\\Test\\\\abc\\\\test\\\\abc\\\\xxx\\\\OUT\\\\" OR RemotePath="\\\\Test\\\\abc\\\\test\\\\abc\\\\xxx\\\\OUT\\\\" ) )

Note - I am not 100% sure how many \\ you are expecting, but when I ran your makeresults search it failed and I had to escape the the replace as:

| eval escaped=replace(text_search, "\\\\", "\\\\\\\\") 

You can run the makeresults on its own and substitute your token to validate the output you get and ensure the search works correctly.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@livehybrid  i am getting no result or 0 record for this

Hi @ganesanvc 

Please can you provide the full search you are trying? Did you try it outside the dashboard in the search bar? If there is a problem with the search you should be able to see it clearly there.

Thanks

@livehybrid  yes i am trying it outside dashboard in search bar i not getting any error or result as well

Hi @ganesanvc 

Looking at the square braces there, it looks like you're running the sub-search part in the SPL search box, try removing the [ and ] so that we can see if that works independetly.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@livehybrid  if i remove [] its just creating dummy logs with path its not actually searching result. like below

Thanks for your response. I’ve already attempted this, but it didn’t work as expected

Hi @ganesanvc 

Were you able to try the below?

---

@livehybrid wrote:

Hi @ganesanvc 

Does "text_search" come from a search result - or is this something like a token you are passing in? I couldnt tell from the request but if its coming from a token and you want to apply the additional escaping then you can do this:

index=main source="answersDemo" 
    [| makeresults 
    | eval text_search="*\\Test\abc\test\abc\xxx\OUT\*" 
    | eval FileSource=replace(text_search, "\\\\", "\\\\\\\\") 
    | return FileSource ]

Note: I used a sample event in index=main as you can see in the results above using;

| windbag
| head 1 
| eval _raw="Test Event for SplunkAnswers user=Demo FileSource=\"MyFileSystem\\Test\\abc\\test\\abc\\xxx\\OUT\\test.exe\" fileType=exe" 
| eval source="answersDemo" 
| collect index=main output_format=hec

I may have got the wrong end of the stick with what you're looking for here but let me know!

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@yuanliuYou meant RHS, not LHS 🙂

@ganesanvcI hope you're running this snippet on an already relatively filtered event stream. If you want to use it as an initial search because you're getting the text_search parameter from elsewhere (like a token in a dashboard) you might be way better off using a subsearch to create a verbatim search term.