- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Clarification on the search in Form
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Clarification on the search in Form
Hi,
A form was created using simple XML containing two components as two text boxes named as Filename and Status.When the search button is clicked the values given in the textboxes get replaced in the search as follows
"Base search query"|search Filename=$filename$ Status=$status$
and the result was got displaying the record that has both filename and status.I want the search to run with the minimal information given displaying the same results as when complete information given.For example Among the two textboxes,when only filename or status is given, the search should give the same results as when both filename and status are given.
I tried giving the search as
"Base search query"|search Filename=$filename OR Status=$status$
But when only Filename was given in the form leaving the Status field blank,the error was displayed as
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side.
Can anyone say reason for the error and any alternative way to acheive this requirement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
I hope that I anderstand what you want to do!
I think you have to set the default values of $filename$ and $status$ to *, so if you want to search only for status and accept all fielnames it would look like this:
"Base search query"|search Filename=* AND Status=$status$"
Furthermore you can put your filters in your main search before you use a |search...
Greetings
C_Sparn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reson for the error is that splunk does not accept a blank value after an "field =" filter. You can set a value or you can use * to disable the filter/to search for all. But a better possibility is to use the tag not just for the value you want to filter for, but use the tag for a complete part of a search like this:
"Base search query"|search $filename$ AND $status$"
For this example $filename$ has to be set to "Filename=*"
and $status$ to "Status=value_you_want_to_filter_for"
In the xml structure you can use
to handle this problems.
Greetings
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks...Can you explain the reason for the error that i stated above
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
