Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dashboard token value substitution
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I have a input token in my dashboard for register number called $tok_reg_num$.
The customers can put in a specific number or leave it as the default of "*".
Here's the issue, in one of the dashboard searches I can use the default of "*" (e..g index=blah sourcetype=blahblah register_number=*), in a secondary panel I have to use a where with a LIKE clause due to the different log type to filter the register number so * won't work and I need to change it to a %.
Non-working:
| Where customer="foo" AND like(Register,"*") <--the dashboard default for $tok_reg_num$
I want it to be this:
| Where customer="foo" AND like(Register,"%") <- change the $tok_reg_num$ to %
I have exhausted my meager splunk token experience in trying to get this to work.
I can't figure out if I can examine and change it in the search or do I need to do that on the dashboard. Someone give me a nudge in the right direction, please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edited after I learned to read:
You should be able to use the replace function for this:
| where customer="foo" AND like(Register,replace("$tok_reg_num$", "\*", "%"))
Original Reply:
Try using searchmatch in your where statement. It will take a regular SPL search statement and is compatible with the asterisk as the wild card.
| where customer="foo" AND searchmatch("Register=\"$tok_reg_num$\"")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edited after I learned to read:
You should be able to use the replace function for this:
| where customer="foo" AND like(Register,replace("$tok_reg_num$", "\*", "%"))
Original Reply:
Try using searchmatch in your where statement. It will take a regular SPL search statement and is compatible with the asterisk as the wild card.
| where customer="foo" AND searchmatch("Register=\"$tok_reg_num$\"")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Replace was the trick @justinatpnnl . Worked perfectly. Many many thanks!
Randy
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
