Hi, I´m facing a problem. I´m trying to solve my current issue via 2 different approaches but i´m unfortunately unable to complete any of these solutions. I´m trying to provide a dashboard with a form whose some of the fields to fill should allow users to sort data using multiple inclusions or exclusions to fit what each and every team works with. Solution 1 : By using an EVAL tag in the XML code and use the variable in the main basesearch like "index=test $exclude_uri$ | stats count BY cs_uri_sterm" I tried something like and use a panel to display the result :
<form>
<fieldset submitButton="true">
<input type="text" token="exclude" searchWhenChanged="true">
<default></default>
<change>
<eval token="exclude_uri">replace(replace(trim(exclude), "\\s+", " "), "(\\S+)", "cs_uri_sterm!=\"\1\"")</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<html>
<p>Token:<b>$exclude_uri$</b></p>
</html>
</panel>
</row>
</form>
However i´m facing several issues : - for some reasons multiple whitespaces are removed by default even though i decide to remove the replace and trim functions dedicated to that. Why ? - \1 does not seem to be recognized. For some reasons a lot of people do not need \\ but it seems like i need them but this does not work for \\1 anyway, only for \s+ and \S+. Any reason ? How can i make this work ? On the other side, it does work if i implement the same in a makeresults test search as follows :
| makeresults
| eval exclude="/assets/* /api/* "
| eval exclude_uri=replace(replace(trim(exclude), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ")
providing :
_time exclude exclude_uri
2022-11-10 15:21:17 /assets/* /api/* cs_uri_sterm!="/assets/*" cs_uri_sterm!="/api/*"
Why is it different ? Solution 2 : Use a Makeresults like above and use the output of it as a direct filter in my basesearch I tried that but im not able to find a proper solution :
index=test [ | makeresults | eval | eval exclude_uri=replace(replace(trim($exclude$), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ") | table exclude_uri ]
I should get something like index=test cs_uri_sterm!="/assets/*" cs_uri_sterm!="/api/*" if the user filled "/assets/* /api/*" in the form text input. I have also tried the same with a MV field.
index=text [ | makeresults | eval exclude_uri=replace(replace(trim($exclude$), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ") | makemv delim=" " exclude_uri | mvexpand exclude_uri | table exclude_uri ]
Nothing works. Spent few hours trying to look at solutions. Even tried to see if i could use something like search ... IN or where something. Any advice ? I really need this. Javascript may be my solution, i don´t know. Kind of stuck here.
... View more