Hi I have a input token in my dashboard for register number called $tok_reg_num$.
The customers can put in a specific number or leave it as the default of "*".
Here's the issue, in one of the dashboard searches I can use the default of "*" (e..g index=blah sourcetype=blahblah register_number=*), in a secondary panel I have to use a where with a LIKE clause due to the different log type to filter the register number so * won't work and I need to change it to a %.
Non-working:
| Where customer="foo" AND like(Register,"*") <--the dashboard default for $tok_reg_num$
I want it to be this:
| Where customer="foo" AND like(Register,"%") <- change the $tok_reg_num$ to %
I have exhausted my meager splunk token experience in trying to get this to work.
I can't figure out if I can examine and change it in the search or do I need to do that on the dashboard. Someone give me a nudge in the right direction, please
Edited after I learned to read:
You should be able to use the replace function for this:
| where customer="foo" AND like(Register,replace("$tok_reg_num$", "\*", "%"))
Original Reply:
Try using searchmatch in your where statement. It will take a regular SPL search statement and is compatible with the asterisk as the wild card.
| where customer="foo" AND searchmatch("Register=\"$tok_reg_num$\"")
Edited after I learned to read:
You should be able to use the replace function for this:
| where customer="foo" AND like(Register,replace("$tok_reg_num$", "\*", "%"))
Original Reply:
Try using searchmatch in your where statement. It will take a regular SPL search statement and is compatible with the asterisk as the wild card.
| where customer="foo" AND searchmatch("Register=\"$tok_reg_num$\"")
Replace was the trick @justinatpnnl . Worked perfectly. Many many thanks!
Randy