I have a form that is doing SQL seach and Splunk Search using one veriable input text. When I want to use a wild card in the form I put in a "%" for SQL but this does not work for Splunk. For splunk I need to use a "*".
I tried using the eval with the if commend to change the wild card but this did not work
useing:
<input type="text" token="ip">
Then puting in the wild card "%" in the form
Then | dbquery MVM "SELECT * from TABLE WHERE IP LIKE '%$ip$%'
the SQL search runes like this | dbquery MVM "SELECT * from TABLE WHERE IP LIKE '%%%'
Then index=foo | eval ip=if(ip="%","*",ip) | search IP="*$ip$*"
the splunk search runes like this index=foo | eval ip=if(ip="%","*",ip) | search IP="*%*"
How can I convert the % to a * for the splunk search?
For your splunk search, have you tried .. | where like(ip, $ip$)
. With this approach, you will not have to change the %
to *
. Give it a try!