I am trying to format a token in my form and then apply the token value to my search. This works just fine when I use replace.
source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\\\","\\\\") | WHERE fieldB=variable| top 15 fieldC
However, when I try to set a default value for my token using <seed></seed> or through a .js script file, I am running into issues. The above search no longer works when the default value `""` is used. But, the search works otherwise.
So, I figured I could use an if
to check for the value of my token and then apply replace
if necessary. Unfortunately the following does not work either,
source=SomeRandomSource filedA='SomeFilter' | eval variable=if("$tokenVariable$"=="*", "*" , replace("$tokenVariable$","\\\\","\\\\")) | WHERE fieldB=variable| top 15 fieldC
Upon closer inspection, it looks like the following search itself does not work,
source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB=variable| top 15 fieldC
OR
source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB="*" | top 15 fieldC
Is there some limitation when using Eval with *
?
The eval
command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*")
or like(variable,"%")
within your eval.
Without seeing the exact data, something like this may work:
source=SomeRandomSource filedA='SomeFilter' | eval variable=if("$tokenVariable$"=="*", "%", replace("$tokenVariable$","\\\\","\\\\")) | where like(fieldB, variable) | top 15 fieldC
This works. Thanks, Jason.
The eval
command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*")
or like(variable,"%")
within your eval.
It is still not clear to me as to how I can accomplish my task though.
My original query works when there is a non default value assigned to my tokenvariable. But, does not work when the tokenvariable is set to *
source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\","\\") | WHERE fieldB=variable| top 15 fieldC
I tried,
source=SomeRandomSource filedA='SomeFilter' | eval variable=if(match($tokenVariable$,".*"), "$tokenVariable$" , replace("$tokenVariable$","\\","\\")) | WHERE fieldB=variable| top 15 fieldC
But, the above query does not work for both * and any other value assigned to tokenvariable. Any suggestions?