Refine your search:

Boolean Operators as Variables

0

I've made a form that allows a user to select with radio buttons whether multiple search fields are treated as an AND or as an OR. They have the option to fill out some or all of the form fields. However, the problem I run into when I have null fields is that Splunk is unhappy with duplicate boolean operators (OR OR or AND AND). I can't simply use a default * because that will mess up OR.

My codes is as follows:

<form>
  <label>Search</label>
   <searchTemplate>index=Stuff ($Field1$ $andor$ $Field2$ $andor$ $Field3$)</searchTemplate>

  <fieldset>
    <input type="text" token="Field1"><label>Search 1</label>
     <prefix>DBField1="</prefix>
     <suffix>"</suffix>
     </input>
  </fieldset>

  <fieldset>
    <input type="text" token="Field2"><label>Search 2</label>
     <prefix>DBField2="</prefix>
     <suffix>"</suffix>
     </input>
  </fieldset>

  <fieldset>
     <input type="text" token="Field3"><label>Search 3</label>
     <prefix>DBField3="</prefix>
     <suffix>"</suffix>
     </input>

     <input type="time">
     <default>Last 30 days</default>
     </input>

     <input type="radio" token="andor">
     <label>AND or OR</label>
     <choice value="AND">AND</choice>
     <choice value="OR">OR</choice>
     <default>OR</default>
    </input>
  </fieldset>

</form>

Is there anything that can be done? I've tried numerous rows of eval if(Field1="Field1=&qu ot;&qu ot;"), but all I end up is Splunk Handler exceptions.

asked 22 Jul '10, 01:26

Tisiphone%201's gravatar image

Tisiphone 1
21117
accept rate: 0%

2 Answers:
oldestnewestmost voted
0

Make your entire search into a macro:

<searchTemplate>index=Stuff `searchquery($Field1$,$Field2$,$Field3$,$andor$)`</searchTemplate>


[searchquery(4)]
args = f1,f2,f3,ao
iseval = true
definition = "$f1$" + if(len("$f2$")>0," $ao$ $f2$","") + if(len("$f2")>0," $ao$ $f3","")
link

answered 22 Jul '10, 02:30

gkanapathy's gravatar image

gkanapathy ♦
32.3k4827
accept rate: 41%

0

Or possibly, add the operator into the prefix:

<prefix>$andor$ DBField3="</prefix>

But I'm not sure that will actually work.

link

answered 22 Jul '10, 03:46

gkanapathy's gravatar image

gkanapathy ♦
32.3k4827
accept rate: 41%

I tried that previously and it did not work, chicken and the egg thing. I am still working on implementing the previous - working out syntax errors. I'll let you know how it goes.

(22 Jul '10, 20:24) Tisiphone 1

Hmm, something about this statement is making Splunk explode. I think it may have to do with quotes in XML. Still working on it.

(23 Jul '10, 00:04) Tisiphone 1

right. if it's quotes in XML, replace it with the string &quot; or else wrap the whole string in a cdata tag, e.g. <![CDATA[stuff="]]>. but I suspect this won't work anyway and suggest you use the macro method instead.

(23 Jul '10, 00:29) gkanapathy ♦

The macro is what is exploding.

(23 Jul '10, 01:37) Tisiphone 1
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×112

Asked: 22 Jul '10, 01:26

Seen: 1,337 times

Last updated: 05 Aug '10, 04:23

Related questions

Boolean operators, searches, and simplification?

Drilldown search operators out of order

search with 2 variables inside search

Using Variables in SearchBar

Create a new variable within a search

passing variables within a form

Route Forms input to script

HiddenSavedSearch not taking a $variable$

Example of Radio Option using Search Variables

Copyright © 2005-2012 Splunk Inc. All rights reserved.