Splunk Dev
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use variables with wildcards in a search

brandonworkenti
New Member
‎12-29-2017 01:02 PM

Hello,

I'm attempting to use a drilldown to search. The original search renamed some fields in order to improve the display in the dashboard, and so in the drilldown search query I'm attempting to do something like (the search includes a wildcard):

eval searchTerm = case("Renamed Value One", "value1*", "Renamed Value Two", "value2*")

This is causing the search to not return any results. I think the eval statement is where it's not working as I expect. If I do:

sourcetype="index" | spath typeId | search typeId=value1*

... then I get the results I expect.

But if I use:

sourcetype="index" | eval new_typeId=value1* | spath typeId | search typeId=new_typeId

... then no results are returned. (I tried both with and without the spath command

I used this answer https://answers.splunk.com/answers/494424/search-using-variables.html as the model for it, but that uses where, which does not allow for wildcards.

How can I use the variable later in a search, when it contains a wildcard?

Thanks!

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-31-2017 12:27 PM

In drilldowns, you should be able to access values by tokens and use them in any way that you like, just by using $row.newfieldname$. You should not be having any problems with this. Why have you not shown us your actually dashboard link code from the XML? This will clearly show us what you are doing wrong and it should be trivial to fix it.

0 Karma
Reply

niketn
Legend
‎12-30-2017 11:02 AM

@brandonworkentin can you add some sample data for above searches? Also explain as to what is the purpose of your SPL? Is it JSON or XML?

Ideally you should have searches in your base search to filter and retain only those records which are required. Then you should perform statistical transformation and finally message the data for output. This process retains only minimal events at each subsequent pipes, instead of carrying every event from one pipe to another(even the unnecessary ones).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

micahkemp
Champion
‎12-29-2017 06:04 PM

Try this:

sourcetype="index" | spath typeId | search [| makeresults | eval typeId="value1*" | return typeId]

Broken down, | makeresults | eval typeId="value1*" | return typeId results in a field named search with the value typeId="value1*". When a subsearch returns a field named search this value will be substituted into your search, in this case resulting in a query:

sourcetype="index" | spath typeId | search typeId="value1*"

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top