Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval with the asterisk wildcard character as the default value for my token?

vijvenug
Explorer
‎12-16-2015 07:35 PM

I am trying to format a token in my form and then apply the token value to my search. This works just fine when I use replace. 

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\\\","\\\\") | WHERE fieldB=variable| top 15 fieldC

However, when I try to set a default value for my token using <seed></seed> or through a .js script file, I am running into issues. The above search no longer works when the default value `""` is used. But, the search works otherwise.

So, I figured I could use an if to check for the value of my token and then apply replace if necessary. Unfortunately the following does not work either,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if("$tokenVariable$"=="*", "*" , replace("$tokenVariable$","\\\\","\\\\")) | WHERE fieldB=variable| top 15 fieldC

Upon closer inspection, it looks like the following search itself does not work,

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB=variable| top 15 fieldC

OR

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB="*" | top 15 fieldC

Is there some limitation when using Eval with * ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2015 04:28 AM

The eval command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*") or like(variable,"%") within your eval.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎12-18-2015 01:51 PM

Without seeing the exact data, something like this may work:

source=SomeRandomSource filedA='SomeFilter'  | eval variable=if("$tokenVariable$"=="*", "%", replace("$tokenVariable$","\\\\","\\\\")) | where like(fieldB, variable) | top 15 fieldC
Reply
Solved! Jump to solution

vijvenug
Explorer
‎12-18-2015 02:17 PM

This works. Thanks, Jason.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2015 04:28 AM

The eval command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*") or like(variable,"%") within your eval.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vijvenug
Explorer
‎12-17-2015 10:49 PM

It is still not clear to me as to how I can accomplish my task though.
My original query works when there is a non default value assigned to my tokenvariable. But, does not work when the tokenvariable is set to *

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\","\\") | WHERE fieldB=variable| top 15 fieldC

I tried,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if(match($tokenVariable$,".*"), "$tokenVariable$" , replace("$tokenVariable$","\\","\\")) | WHERE fieldB=variable| top 15 fieldC

But, the above query does not work for both * and any other value assigned to tokenvariable. Any suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...