Using form input to search for multiple token vari...

stevegadd · ‎12-29-2017

I have a basic dropdown in a form where we are searching for a user name in First Name Last Name format. I want to be able to take that token and use it in searches with multiple variations. An example is : index=foo search user="First Name Last Name" OR user="First Name.LastName".

Any help appreciated!

akocak · ‎12-29-2017

if you know dropdown format, you can achieve this in search like: (Let's say there is a space between)

    index=foo.. | eval mval=$token$| rex field=mval "^(?<firstname>\w+)\s(?<lastname>\w+)$"
    | search (user=mval OR user=firstname.".".lastname

Having 'user=' in first pipe next to index would be more optimized. However, it would require some tweaking in Dashboard XML or Macro.

Macro:
you need to create a macro that takes only one parameter (your token), and returns a string like:
(user="fname lname" OR user=fname.lname)
Ex:

[| makeresults | eval mval=$param$
| rex field=mval "^(?<fname>\w+)\s(?<lname>\w+)$" 
| eval search = "(user=".fname," ".lname." OR user=".fname.".".lname.")" 
| return $search]

Then you can call it in your search as:

index=foo 'mymacro($token$)'

XML:
I couldn't think of a way now using 'change' or 'set' tags. however, I am sure there are ways. I am sure somesoni will explain this part 🙂

Using form input to search for multiple token variations

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases