Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard token value substitution

randy_moore
Path Finder
‎08-19-2021 09:17 AM

Hi  I have a input token in my dashboard for register number called $tok_reg_num$.
The customers can put in a specific number or leave it as the default of "*".   

Here's the issue,  in one of the dashboard searches I can use the default of "*"   (e..g  index=blah sourcetype=blahblah register_number=*),  in a secondary panel  I have to use a where  with a LIKE clause due to the different log type to filter the register number so * won't work and I need to change it to a  %.   

Non-working:
| Where customer="foo" AND like(Register,"*")  <--the  dashboard default for  $tok_reg_num$

I want it to be this:
| Where customer="foo" AND like(Register,"%")  <- change the $tok_reg_num$ to %

I have exhausted my meager splunk token experience in trying to get this to work. 
I can't figure out if I can examine and change it in the search  or do I need to do that  on the dashboard.   Someone give me a nudge in the right direction, please 

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-19-2021 09:31 AM

Edited after I learned to read:

You should be able to use the replace function for this:

 

| where customer="foo" AND like(Register,replace("$tok_reg_num$", "\*", "%"))

 

Original Reply:

Try using searchmatch in your where statement.  It will take a regular SPL search statement and is compatible with the asterisk as the wild card.

 

| where customer="foo" AND searchmatch("Register=\"$tok_reg_num$\"")

 

View solution in original post

Reply
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-19-2021 09:31 AM

Edited after I learned to read:

You should be able to use the replace function for this:

 

| where customer="foo" AND like(Register,replace("$tok_reg_num$", "\*", "%"))

 

Original Reply:

Try using searchmatch in your where statement.  It will take a regular SPL search statement and is compatible with the asterisk as the wild card.

 

| where customer="foo" AND searchmatch("Register=\"$tok_reg_num$\"")

 

Reply
Solved! Jump to solution

randy_moore
Path Finder
‎08-19-2021 10:47 AM

Replace was the trick @justinatpnnl .    Worked perfectly.   Many many thanks!

Randy

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...