Hi all,
I am trying to use a variable as a search condition based on input in a text box. In order to make it simpler for users, I want them to be able to enter as many potential search strings as possible.
Textbox details on the dashboard:
token: jobname
default: \*
token prefix: job=
Example input: "string1 string2 string3"
I then put this through an eval to get a search condition to run:
eventtype=my_eventtype | rex field="some regex (?moreregex)" | eval jobname="$jobname$" | eval jobsearch=replace(jobname, " ", " OR job=")
This will mean that the variable jobsearch will be:
"job=string1 OR job=string2 OR job=string3"
How then do I use the variable as a search condition? It obvious way, you would think would be to do this (carrying on from the above query):
| search $jobsearch$
which doesn't work / returns nothing.
The other way that seemed promising was using macros.
[stringsearch(1)]
args=sstring
definition = search $sstring$
Which doesn't seem to work either, using these examples:
This works:
eventtype=my_eventtype | `stringsearch(mystringtosearch)`
This doesn't:
eventtype=my_eventtype | eval var="mystringtosearch" | `stringsearch($var$)`
Does anyone know of a way of using strings in variables as conditions?
Thanks and best regards,
Alex