I have a dashboard where I select the type of item I want to look for in an IIS log. What I look for is a regular expression, but I can show the problem using a simple wildcard.
| eval search_stem = "/item/*"
| search cs_uri_stem = search_stem
This returns nothing. If I replace the search with the actual string it works fine.
| search cs_uri_stem = "/item/*"
The cs_uri_stem searched for will be a regex expression. Something like this, but more complicated regex and items.
sourcetype=iis
| eval search_stem = case (
$selection$="item1","/item1/.*",
$selection$="item2","/item2/.*",
$selection$="item3","/item3/.*"
)
| regex cs_uri_stem=search_stem
| table cs_uri_stem search_stem
I use the table to show that the search_stem is correct. I can't seem to get a trivial example working where I base a search on a variable that contains a wildcard. A similar question to this was answered using the where clause, but that does not work with wildcards or regex.
Any suggestions?
I am using Splunk Cloud 7.0.11.1
... View more