Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use eval with the asterisk wildcard character as the default value for my token?

vijvenug
Explorer
‎12-16-2015 07:35 PM

I am trying to format a token in my form and then apply the token value to my search. This works just fine when I use replace. 

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\\\","\\\\") | WHERE fieldB=variable| top 15 fieldC

However, when I try to set a default value for my token using <seed></seed> or through a .js script file, I am running into issues. The above search no longer works when the default value `""` is used. But, the search works otherwise.

So, I figured I could use an if to check for the value of my token and then apply replace if necessary. Unfortunately the following does not work either,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if("$tokenVariable$"=="*", "*" , replace("$tokenVariable$","\\\\","\\\\")) | WHERE fieldB=variable| top 15 fieldC

Upon closer inspection, it looks like the following search itself does not work,

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB=variable| top 15 fieldC

OR

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB="*" | top 15 fieldC

Is there some limitation when using Eval with * ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2015 04:28 AM

The eval command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*") or like(variable,"%") within your eval.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎12-18-2015 01:51 PM

Without seeing the exact data, something like this may work:

source=SomeRandomSource filedA='SomeFilter'  | eval variable=if("$tokenVariable$"=="*", "%", replace("$tokenVariable$","\\\\","\\\\")) | where like(fieldB, variable) | top 15 fieldC
Reply
Solved! Jump to solution

vijvenug
Explorer
‎12-18-2015 02:17 PM

This works. Thanks, Jason.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2015 04:28 AM

The eval command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*") or like(variable,"%") within your eval.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vijvenug
Explorer
‎12-17-2015 10:49 PM

It is still not clear to me as to how I can accomplish my task though.
My original query works when there is a non default value assigned to my tokenvariable. But, does not work when the tokenvariable is set to *

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\","\\") | WHERE fieldB=variable| top 15 fieldC

I tried,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if(match($tokenVariable$,".*"), "$tokenVariable$" , replace("$tokenVariable$","\\","\\")) | WHERE fieldB=variable| top 15 fieldC

But, the above query does not work for both * and any other value assigned to tokenvariable. Any suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...