Splunk Search

Use variable as complete search string

ameyad
Engager

I am trying to create a dashboard. It has two input text fields.
I want to run a search query based on these two inputs.

If input A is null AND input B is null then no search results
If input A is not null AND input B is null then search using only A
If input A is null AND input B is not null then search using only B

If input A is null AND input B is not null then search using both A and B

Following is my query. It returns no results 

 

Properties.application="xyz.api"
| spath Level 
| search Level!=Verbose AND Level!=Debug
| eval search_condition_fnum=if(len(trim("$text_fnum$"))=0 OR isnull("$text_fnum$"), "", "RenderedMessage=\"*$text_fnum$*\"")
| eval search_condition_fdate=if(len(trim("$text_fdate$"))=0 OR isnull("$text_fdate$"), "", "RenderedMessage=\"*$text_fdate$*\"")
| eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ")
| table search_condition_fnum, search_condition_fdate, combined_search_condition
| search [| makeresults | eval search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | fields search_condition]

 



Labels (2)

yuanliu
SplunkTrust
SplunkTrust

It appears to me that you are overthinking the search language.  Assuming that RenderedMessage is already extracted (as is implied in your illustrated code), you can use

roperties.application="xyz.api"
  (RenderedMessage="*$text_fnum$*" AND RenderedMessage="*$text_fdate$*")
| spath Level 
| search Level!=Verbose AND Level!=Debug
| eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ")

If you run this on paper, you will see that the wildcards will cause the search to behave as you described.

Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...