I made a text panel in a Splunk dashboard.
I want to use "AND" and "OR" operations in the text panel for searching contents,
but the "AND" and "OR" operation results are different with my expectation.
If I input "picture"
, it searches the "*picture*"
words.
...| search positive_sentence="*picture*" | ...
If I input "picture OR pic"
, it searches the "*picture OR pic*"
, not "*picture*"
and "*pic*"
.
I know that it's possible with "AND" and "OR" operations if the panel type is multichoice.
How can I solve the this problem?
I want to use text type panel.
Thanks in advance.
The design of the text box filter/input is to just replace the value entered in the text box to the place where it's token is referenced. So, if your search is ... | search positive_sentence="*$yourtextboxtoken$*"
, then, if you enter picture
, the search will be become ... | search positive_sentence="*picture*"
and for picture OR pic
, it will be ... | search positive_sentence="*picture OR pic*"
.
If you're looking for a custom interpretation/transformation of text box values, you'd need to write your SPL accordingly. E.g. if you want picture OR pic
to be translated as ... | search positive_sentence="*picture*" OR positive_sentence="*pic*"
, then something like this would work
your base search | search [| gentimes start=-1 | eval search="positive_sentence=\"*".replace("$yourtextboxtoken$","(\s+(OR|AND)\s+)","*\"\1positive_sentence=\"*")."*\"" | table search]
A simple solution would be to just type this into the search box: picture* OR *pic
Other than that, you would have to use a multiselect
Would a multifield selection be a better option?
Depending on what you're trying to do, you can automatically extract the fields from your data into the multifield list...