Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval with the asterisk wildcard character as the default value for my token?

vijvenug
Explorer
‎12-16-2015 07:35 PM

I am trying to format a token in my form and then apply the token value to my search. This works just fine when I use replace. 

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\\\","\\\\") | WHERE fieldB=variable| top 15 fieldC

However, when I try to set a default value for my token using <seed></seed> or through a .js script file, I am running into issues. The above search no longer works when the default value `""` is used. But, the search works otherwise.

So, I figured I could use an if to check for the value of my token and then apply replace if necessary. Unfortunately the following does not work either,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if("$tokenVariable$"=="*", "*" , replace("$tokenVariable$","\\\\","\\\\")) | WHERE fieldB=variable| top 15 fieldC

Upon closer inspection, it looks like the following search itself does not work,

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB=variable| top 15 fieldC

OR

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB="*" | top 15 fieldC

Is there some limitation when using Eval with * ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2015 04:28 AM

The eval command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*") or like(variable,"%") within your eval.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎12-18-2015 01:51 PM

Without seeing the exact data, something like this may work:

source=SomeRandomSource filedA='SomeFilter'  | eval variable=if("$tokenVariable$"=="*", "%", replace("$tokenVariable$","\\\\","\\\\")) | where like(fieldB, variable) | top 15 fieldC
Reply
Solved! Jump to solution

vijvenug
Explorer
‎12-18-2015 02:17 PM

This works. Thanks, Jason.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2015 04:28 AM

The eval command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*") or like(variable,"%") within your eval.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vijvenug
Explorer
‎12-17-2015 10:49 PM

It is still not clear to me as to how I can accomplish my task though.
My original query works when there is a non default value assigned to my tokenvariable. But, does not work when the tokenvariable is set to *

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\","\\") | WHERE fieldB=variable| top 15 fieldC

I tried,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if(match($tokenVariable$,".*"), "$tokenVariable$" , replace("$tokenVariable$","\\","\\")) | WHERE fieldB=variable| top 15 fieldC

But, the above query does not work for both * and any other value assigned to tokenvariable. Any suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...