Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use a wildcard with the where command for a drop-down search input?

ruchir
Explorer
‎03-04-2015 04:27 AM

Hi Everyone,

I am running a search:

| inputlookup MyLookup
| where Foo="$FooValueFromDropdown$" 
| stats values(Price)

where, $FooValueFromDropdown$ replaces itself with a value coming from a drop-down above.

When drop-down is set to some value like Cadbury or Nestle, search works fine, but when the drop-down is set to All, search shows nothing.

I tried search command, but it's not case-sensitive, which means if I have values like Cadbury(with capital C) and cadbury(with small c) and I select Cadbury with capital C, search will show results for both of them.

How can I use case-sensitivity of where and wildcard(*) friendliness of search together?

Please help.

Thank you 🙂

0 Karma
Reply

emiller42
Motivator
‎03-05-2015 07:58 AM

Here is a working example of what richgalloway is talking about:

index=_internal 
| eval search_string="splunk*" 
| eval search_string=replace(search_string, "\*", "%") 
| where like(sourcetype, search_string)

Which can be simplified to:

... | where like(sourcetype, replace("splunk*", "\*", "%"))

Just replace "splunk*", with $FooValueFromDropdown$

0 Karma
Reply

ruchir
Explorer
‎03-09-2015 06:45 AM

Hi emiller42

Thanks for that example, it was useful. 🙂
Do you have any suggestions on the problem I mention as comment below richgalloway's answer?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2015 06:07 AM

Try like.

... | where like(Foo,$FooValueFromDropdown$) | ...

The dropdown selection for All will have to be the SQL wildcard '%'.

---
If this reply helps you, Karma would be appreciated.
Reply

ruchir
Explorer
‎03-09-2015 06:39 AM

Thanks richgalloway. 🙂

It's working but the $FooValueFromDropdown$ is a URI and contains "/" character. So when I am using double quotes around $FooValueFromDropdown$ like this

... | where like(Foo,"$FooValueFromDropdown$") | ...

it's showing no result for drop-down value - All and when I am removing them, again I am not getting any results.

Any suggestions upon that?

0 Karma
Reply

emiller42
Motivator
‎03-14-2015 04:33 PM

How is 'All' defined in your search form?

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...