This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
If you want to make a more sophisticated form search, you can use the ExtendedFieldSearch module in a search view. To read more about search views, see here
Start out your search view:
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
<label>Sample search</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
Next, decide what kind of form search you'd like to do and pick one or more of the following configurations.
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=$st$</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="st">
<param name="default">apache_error</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="st">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Sourcetype</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=apache_error *$target$*</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="target">
<param name="default">500</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="target">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Wildcard search</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=apache_error $error$ $hours_ago$</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="error">
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="error">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Multiple replace (apache search)</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="hours_ago">
<param name="fillOnEmpty">True</param>
<param name="prefix">starthoursago=</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="hours_ago">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Multiple replace (starthoursago)</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</module>
The desired search string is:
eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" OR user="$User$"
Approximate this using the stringreplace intention's "prefix" and "suffix" params:
eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$
where $User$ is prefixed with 'OR user="' and suffixed with '"'
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$</param>
<module name="ExtendedFieldSearch">
<param name="field">SourceIP</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="SourceIP">
<param name="fillOnEmpty">True</param>
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="SourceIP">
<param name="value"></param>
</param>
</param>
</param>
<module name="ExtendedFieldSearch">
<param name="field">User</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="User">
<param name="fillOnEmpty">True</param>
<param name="prefix">OR user="</param>
<param name="suffix">"</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="User">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</module>
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">eventtypetag=config_file source=$File$ OR $File$</param>
<module name="ExtendedFieldSearch">
<param name="field">File</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="File">
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="File">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">* | stats count by $st$</param>
<module name="ExtendedFieldSearch">
<param name="field">Count by field</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="st">
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="st">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</view>