Splunk Search
Highlighted

How to use eval with the asterisk wildcard character as the default value for my token?

Explorer

I am trying to format a token in my form and then apply the token value to my search. This works just fine when I use replace.

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\\\","\\\\") | WHERE fieldB=variable| top 15 fieldC

However, when I try to set a default value for my token using <seed></seed> or through a .js script file, I am running into issues. The above search no longer works when the default value `""` is used. But, the search works otherwise.

So, I figured I could use an if to check for the value of my token and then apply replace if necessary. Unfortunately the following does not work either,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if("$tokenVariable$"=="*", "*" , replace("$tokenVariable$","\\\\","\\\\")) | WHERE fieldB=variable| top 15 fieldC

Upon closer inspection, it looks like the following search itself does not work,

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB=variable| top 15 fieldC

OR

source=SomeRandomSource filedA='SomeFilter' | eval variable="*" | WHERE fieldB="*" | top 15 fieldC

Is there some limitation when using Eval with * ?

0 Karma
Highlighted

Re: How to use eval with the asterisk wildcard character as the default value for my token?

SplunkTrust
SplunkTrust

The eval command does not support wildcards - it treats them literally. To get the same functionality, use match(variable,".*") or like(variable,"%") within your eval.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: How to use eval with the asterisk wildcard character as the default value for my token?

Explorer

It is still not clear to me as to how I can accomplish my task though.
My original query works when there is a non default value assigned to my tokenvariable. But, does not work when the tokenvariable is set to *

source=SomeRandomSource filedA='SomeFilter' | eval variable=replace("$tokenVariable$","\\","\\") | WHERE fieldB=variable| top 15 fieldC

I tried,

source=SomeRandomSource filedA='SomeFilter' | eval variable=if(match($tokenVariable$,".*"), "$tokenVariable$" , replace("$tokenVariable$","\\","\\")) | WHERE fieldB=variable| top 15 fieldC

But, the above query does not work for both * and any other value assigned to tokenvariable. Any suggestions?

0 Karma
Highlighted

Re: How to use eval with the asterisk wildcard character as the default value for my token?

Motivator

Without seeing the exact data, something like this may work:

source=SomeRandomSource filedA='SomeFilter'  | eval variable=if("$tokenVariable$"=="*", "%", replace("$tokenVariable$","\\\\","\\\\")) | where like(fieldB, variable) | top 15 fieldC
Highlighted

Re: How to use eval with the asterisk wildcard character as the default value for my token?

Explorer

This works. Thanks, Jason.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.