Re: prefix string to search query

manikdham · ‎08-28-2012

I am creating an app and want to prefix index= to all searches done in the app.
Is there a way this can be done. The idea is to keep the string either hidden or automatically prefix in the search query.

jonuwz · ‎08-28-2012

You can do it per view, but not per app (as far as i'm aware)

This will add the equivalent of "NOT source=apache_log" to the beginning of all searches.

<module name="HiddenIntention">
  <param name="intention">
    <param name="name">negateterm</param>
    <param name="arg">
      <param name="source">apache_log</param>
    </param>
    <param name="flags"><list>indexed</list></param>
  </param>

One thing you need to be careful of is users bypassing this by just typeing the query in the url
i.e. https://localhost/en-GB/myapp/search/?q=search source=apache_log.

Putting this above your SumbitButton prevents that :

<module name="Gimp"/>

You can also set a prefix search based on roles : If you go to :

Manager » Access controls » Roles » your_role

There's an option to enter a restiction term applied to all searches.

John

jonuwz · ‎09-10-2012

You wrap it around any searches you want to be modified by your intention. (Don't forget to close the </module>

Also, HiddenIntention might not be valid as a root module, wrap it in a GenericHeader to test

manikdham · ‎08-31-2012

Where do i add this module....when i add this module...my view becomes unavailable...

prefix string to search query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation