- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I am trying to use a variable as a search condition based on input in a text box. In order to make it simpler for users, I want them to be able to enter as many potential search strings as possible.
Textbox details on the dashboard:
token: jobname
default: *
token prefix: job=
Example input: "string1 string2 string3"
I then put this through an eval to get a search condition to run:
eventtype=my_eventtype | rex field="some regex (?moreregex)" | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=")
This will mean that the variable jobsearch will be:
"job=string1 OR job=string2 OR job=string3"
How then do I use the variable as a search condition? It obvious way, you would think would be to do this (carrying on from the above query):
| search $jobsearch$
which doesn't work / returns nothing.
The other way that seemed promising was using macros.
[stringsearch(1)]
args=sstring
definition = search $sstring$
Which doesn't seem to work either, using these examples:
This works:
eventtype=my_eventtype | stringsearch(mystringtosearch)
This doesn't:
eventtype=my_eventtype | eval var="mystringtosearch" | stringsearch($var$)
Does anyone know of a way of using strings in variables as conditions?
Thanks and best regards,
Alex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try these
Using macro
eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`
Using subsearch (will require to remove "token prefix: job=" from text box)
eventtype=my_eventtype [| gentimes start=-1 | eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try these
Using macro
eventtype=my_eventtype | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=") | `stringsearch(jobsearch)`
Using subsearch (will require to remove "token prefix: job=" from text box)
eventtype=my_eventtype [| gentimes start=-1 | eval job="$jobname$" | makemv job | mvexpand job | table job ] | rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your suggestions!
Unfortunately the top example using a macro doesn't work -- that literally searches the string "jobsearch"
The bottom one I can't seem to work into my full search.
eventtype=my_eventtype source="*logfile.log"
| rex "[Tt]he job '(?[^']+)'"
[ | gentimes start=-1
| eval job="email alerts"
| makemv job
| mvexpand job
| table job ]
| transaction host job session startswith="Started running the job" endswith="has succeeded"
| table _time session job duration
Gives me an error:
Error in 'rex' command: Invalid argument: '('
PS: How do I use that codeblock you've used? I'm not sure what the markup is for it and the code html tag is awful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bottom search for your full search would be like this
eventtype=my_eventtype source="*logfile.log" | rex "[Tt]he job '(?<job>[^']+)'" | search [ | gentimes start=-1 | eval job="email alerts" | makemv job | mvexpand job | table job ] | transaction host job session startswith="Started running the job" endswith="has succeeded" | table _time session job duration
To use code block, either use the '101010' type button above the text area OR add 4 spaces at the start of the line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mate, you're a lifesaver on both counts. Thank you very much!
