https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493629#M137663 <P>Hi scottfoley,<BR /> the easiest solution would be to define a drop down field to select the stem and add the label/value pairs so that for example the first label reads <CODE>Item1</CODE> and the first value reads <CODE>/item1/.*</CODE>. Call the token <EM>selection</EM>. Now, if you select "Item1" from the list, the value of selection will be /item1/.* Use it in your search like such: <CODE>sourcetype=iis | regex cs_uri_stem="$selection$" | eval search_stem="$selection$" | table cs_uri_stem search_stem</CODE> <BR /> With dynamic stems, you could also dynamically fill the dropdown values from a search.</P> Mon, 07 Oct 2019 17:10:48 GMT ololdach 2019-10-07T17:10:48Z https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493628#M137662 <P>I have a dashboard where I select the type of item I want to look for in an IIS log. What I look for is a regular expression, but I can show the problem using a simple wildcard. </P> <PRE><CODE>| eval search_stem = "/item/*" | search cs_uri_stem = search_stem </CODE></PRE> <P>This returns nothing. If I replace the search with the actual string it works fine.</P> <PRE><CODE>| search cs_uri_stem = "/item/*" </CODE></PRE> <P>The cs_uri_stem searched for will be a regex expression. Something like this, but more complicated regex and items. </P> <PRE><CODE> sourcetype=iis | eval search_stem = case ( $selection$="item1","/item1/.*", $selection$="item2","/item2/.*", $selection$="item3","/item3/.*" ) | regex cs_uri_stem=search_stem | table cs_uri_stem search_stem </CODE></PRE> <P>I use the table to show that the search_stem is correct. I can't seem to get a trivial example working where I base a search on a variable that contains a wildcard. A similar question to this was answered using the where clause, but that does not work with wildcards or regex. </P> <P>Any suggestions? </P> <P>I am using Splunk Cloud 7.0.11.1</P> Wed, 30 Sep 2020 02:24:11 GMT https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493628#M137662 scottfoley 2020-09-30T02:24:11Z https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493629#M137663 <P>Hi scottfoley,<BR /> the easiest solution would be to define a drop down field to select the stem and add the label/value pairs so that for example the first label reads <CODE>Item1</CODE> and the first value reads <CODE>/item1/.*</CODE>. Call the token <EM>selection</EM>. Now, if you select "Item1" from the list, the value of selection will be /item1/.* Use it in your search like such: <CODE>sourcetype=iis | regex cs_uri_stem="$selection$" | eval search_stem="$selection$" | table cs_uri_stem search_stem</CODE> <BR /> With dynamic stems, you could also dynamically fill the dropdown values from a search.</P> Mon, 07 Oct 2019 17:10:48 GMT https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493629#M137663 ololdach 2019-10-07T17:10:48Z https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493630#M137664 <P>That works. That was my end goal, but I wonder why my example did not work. Still my example was contrived and not something that someone would normally do. I was just testing things outside of a dashboard. </P> <P>Thanks </P> Wed, 09 Oct 2019 15:31:18 GMT https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493630#M137664 scottfoley 2019-10-09T15:31:18Z https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493631#M137665 <P>Hi scottfoley, it appears that splunk treats the content of a variable different from literal values in a <EM>search</EM> command. Variables don't pass through the wildcard processing. Dashboard tokens, however, are being treated as literal values. If you want to implement it somewhat like in your example, try <CODE>...|where cs_uri_stem like search_stem."%"</CODE></P> Thu, 10 Oct 2019 05:39:46 GMT https://community.splunk.com/t5/Splunk-Search/search-on-variable/m-p/493631#M137665 ololdach 2019-10-10T05:39:46Z