- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How to use variables with wildcards in a search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use variables with wildcards in a search
Hello,
I'm attempting to use a drilldown to search. The original search renamed some fields in order to improve the display in the dashboard, and so in the drilldown search query I'm attempting to do something like (the search includes a wildcard):
eval searchTerm = case("Renamed Value One", "value1*", "Renamed Value Two", "value2*")
This is causing the search to not return any results. I think the eval statement is where it's not working as I expect. If I do:
sourcetype="index" | spath typeId | search typeId=value1*
... then I get the results I expect.
But if I use:
sourcetype="index" | eval new_typeId=value1* | spath typeId | search typeId=new_typeId
... then no results are returned. (I tried both with and without the spath command
I used this answer https://answers.splunk.com/answers/494424/search-using-variables.html as the model for it, but that uses where, which does not allow for wildcards.
How can I use the variable later in a search, when it contains a wildcard?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In drilldowns, you should be able to access values by tokens and use them in any way that you like, just by using $row.newfieldname$. You should not be having any problems with this. Why have you not shown us your actually dashboard link code from the XML? This will clearly show us what you are doing wrong and it should be trivial to fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brandonworkentin can you add some sample data for above searches? Also explain as to what is the purpose of your SPL? Is it JSON or XML?
Ideally you should have searches in your base search to filter and retain only those records which are required. Then you should perform statistical transformation and finally message the data for output. This process retains only minimal events at each subsequent pipes, instead of carrying every event from one pipe to another(even the unnecessary ones).
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
sourcetype="index" | spath typeId | search [| makeresults | eval typeId="value1*" | return typeId]
Broken down, | makeresults | eval typeId="value1*" | return typeId results in a field named search with the value typeId="value1*". When a subsearch returns a field named search this value will be substituted into your search, in this case resulting in a query:
sourcetype="index" | spath typeId | search typeId="value1*"
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
