Solved: Re: Boolean Operators as Variables

Tisiphone_1 · ‎07-22-2010

I've made a form that allows a user to select with radio buttons whether multiple search fields are treated as an AND or as an OR. They have the option to fill out some or all of the form fields. However, the problem I run into when I have null fields is that Splunk is unhappy with duplicate boolean operators (OR OR or AND AND). I can't simply use a default * because that will mess up OR.

My codes is as follows:

<form>
  <label>Search</label>
   <searchTemplate>index=Stuff ($Field1$ $andor$ $Field2$ $andor$ $Field3$)</searchTemplate>

  <fieldset>
    <input type="text" token="Field1"><label>Search 1</label>
     <prefix>DBField1="</prefix>
     <suffix>"</suffix>
     </input>
  </fieldset>

  <fieldset>
    <input type="text" token="Field2"><label>Search 2</label>
     <prefix>DBField2="</prefix>
     <suffix>"</suffix>
     </input>
  </fieldset>

  <fieldset>
     <input type="text" token="Field3"><label>Search 3</label>
     <prefix>DBField3="</prefix>
     <suffix>"</suffix>
     </input>

     <input type="time">
     <default>Last 30 days</default>
     </input>

     <input type="radio" token="andor">
     <label>AND or OR</label>
     <choice value="AND">AND</choice>
     <choice value="OR">OR</choice>
     <default>OR</default>
    </input>
  </fieldset>

</form>

Is there anything that can be done? I've tried numerous rows of eval if(Field1="Field1=&qu ot;&qu ot;"), but all I end up is Splunk Handler exceptions.

gkanapathy · ‎07-22-2010

Make your entire search into a macro:

<searchTemplate>index=Stuff `searchquery($Field1$,$Field2$,$Field3$,$andor$)`</searchTemplate>


[searchquery(4)]
args = f1,f2,f3,ao
iseval = true
definition = "$f1$" + if(len("$f2$")>0," $ao$ $f2$","") + if(len("$f2")>0," $ao$ $f3","")

View solution in original post

gkanapathy · ‎07-22-2010

Or possibly, add the operator into the prefix:

<prefix>$andor$ DBField3="</prefix>

But I'm not sure that will actually work.

Tisiphone_1 · ‎07-23-2010

The macro is what is exploding.

gkanapathy · ‎07-23-2010

right. if it's quotes in XML, replace it with the string " or else wrap the whole string in a cdata tag, e.g. <![CDATA[stuff="]]>. but I suspect this won't work anyway and suggest you use the macro method instead.

Tisiphone_1 · ‎07-23-2010

Hmm, something about this statement is making Splunk explode. I think it may have to do with quotes in XML. Still working on it.

Tisiphone_1 · ‎07-22-2010

I tried that previously and it did not work, chicken and the egg thing. I am still working on implementing the previous - working out syntax errors. I'll let you know how it goes.

gkanapathy · ‎07-22-2010

Make your entire search into a macro:

<searchTemplate>index=Stuff `searchquery($Field1$,$Field2$,$Field3$,$andor$)`</searchTemplate>


[searchquery(4)]
args = f1,f2,f3,ao
iseval = true
definition = "$f1$" + if(len("$f2$")>0," $ao$ $f2$","") + if(len("$f2")>0," $ao$ $f3","")

Boolean Operators as Variables

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?