Splunk Search

Conditionaly Change form input variable value in the form search query

hartfoml
Motivator

I have a form that is doing SQL seach and Splunk Search using one veriable input text. When I want to use a wild card in the form I put in a "%" for SQL but this does not work for Splunk. For splunk I need to use a "*".

I tried using the eval with the if commend to change the wild card but this did not work

useing:
<input type="text" token="ip">


Then puting in the wild card "%" in the form

Then | dbquery MVM "SELECT * from TABLE WHERE IP LIKE '%$ip$%'

the SQL search runes like this | dbquery MVM "SELECT * from TABLE WHERE IP LIKE '%%%'

Then index=foo | eval ip=if(ip="%","*",ip) | search IP="*$ip$*"

the splunk search runes like this index=foo | eval ip=if(ip="%","*",ip) | search IP="*%*"

How can I convert the % to a * for the splunk search?

0 Karma

sundareshr
Legend

For your splunk search, have you tried .. | where like(ip, $ip$). With this approach, you will not have to change the % to *. Give it a try!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...