I have one user interactive input from a < form > that needs to go to two searches - wherever it gets a match must display in the form of a table.
I have created a dashboard and can pass in an ID using < searchTemplate> and < fieldset > - basically I pass a token by the name of $ID$ into the search inside the searchTemplate.
However searchTemplate only ever takes in one search - for me there's TWO sourcetypes - if I cannot get this id from Sourcetype A I need to be able to look in Sourcetype B - how would I accomplish that in one form using ONE actual search entry into < searchTemplate> ?
Something like this ---->
< searchtemplate >
sourcetype="A" idInTableA="$ID$"
sourcetype="B" idInTableB="$ID$"
< /searchtemplate >
Any ideas so as to the most sensible way to go about this ?
That by the way, did not work.
Splunk errors out saying it is unable to parse the search
(sourcetype=A idInTableA="$ID$") OR (sourcetype=B idInTableB="$ID$")
?