Splunk Search

Where's Where's Wildcarding?

code_monkey
Engager
| where $click.name$ == if("$click.value$" == "Totals", * , "$click.value$")  

This bit of code is intended to allow us to use a drill-down on a table that includes a generated row where the clicked value or the clicked value's field name may not be descriptive search terms, specifically a row of column totals. Obviously, it doesn't work.

  1. Where appears to lack the wildcarding semantic entirely, which makes sense I suppose. However, I rather need that bit of functionality.
  2. A bare * isn't really a valid return value here, a quoted one becomes a useless string literal, and an escaped one doesn't work either.

I was wondering if anyone had a better approach to this kind of last-minute substitution-chicanery, or if anyone knows how to get a match-any boolean expression out of a where clause?

Tags (1)
0 Karma
1 Solution

ziegfried
Influencer

As far as I've understood your intention, you could probably do it this way:

... | where if("$click.value$" == "Totals", true(), $click.name$ == "$click.value$")

Edit:

Here's how you could use the eval command to create conditions for a search:

<some search conditions> [ | stats count | eval search=if("$click.value$" == "Totals", "*", "$click.name$=\"$click.value$\"") | fields search ]

The subsearch (within the square brackets) will expand to an additional search condition for the outer search. (The stats count part is just used to great a single result, thats rather hack/workaround)

View solution in original post

ziegfried
Influencer

As far as I've understood your intention, you could probably do it this way:

... | where if("$click.value$" == "Totals", true(), $click.name$ == "$click.value$")

Edit:

Here's how you could use the eval command to create conditions for a search:

<some search conditions> [ | stats count | eval search=if("$click.value$" == "Totals", "*", "$click.name$=\"$click.value$\"") | fields search ]

The subsearch (within the square brackets) will expand to an additional search condition for the outer search. (The stats count part is just used to great a single result, thats rather hack/workaround)

ziegfried
Influencer

I've added an example on how you could use the eval command to create conditions for a search query.

0 Karma

ziegfried
Influencer

The where command doesn't "return" anything. It will simply remove those results where the expression evaluates to false. You can use the eval command to create new fields.

0 Karma

code_monkey
Engager

That does solve it, since where just wants a boolean. I'm still curious about how I'd return something like a wildcard or other non-string value.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...