Hello all,
Fairly new to Splunk and have a question.
I am trying to build what seemed like a fairly simple tool but I can't get it to work correctly. I need to search on two different text input values and find results where either value is present. The tricky part is that I don't want to search a field if it's blank.
If I do :
"
....(Field1=$value1$ OR Field2=$value2$)
Splunk returns results for all values in either field that is left null. I need to be able to not search at all on either one of these values if they are left null. Thanks in advance!
This answer seems to provide the closest guidance for what you're seeking:
https://answers.splunk.com/answers/4911/evaluating-form-field-if-not-null.html
But I don't think it's a complete solution if you want both input fields to be optional. In that case, you may need to add some javascript behind the scenes. You can pass tokens to Javascript, evaluate the status of the tokens, and generate an appropriate query based on that analysis. It shouldn't be too complex if you are comfortable with Javascript. Here's some documentation to get you started:
http://dev.splunk.com/view/SP-CAAAE25#Addingcode:usingJavaScriptandSearchProcessingLanguage-Loadingc...
Try to add ((Field1=* AND Field1=$value1$) OR (Field2=* AND Field2=$value2$))
field=* means "only select events where field has a value. This should exclude events where either Field1 or Field2 are NULL.
In looking at you answer I realized I didn't phrase the question correctly. Thank you for the help! I just want to clarify what I am after.
The tool will have two text entry fields. I don't want to search at all on a text entry that is left blank. I want the user to be able to enter a value in either input field - if they enter in both it will search for both values. If they enter in only one or the other it will search for that value but ignore the other value in the search - ideally I'd like to only search for the values that get entered.
Does that make more sense?