Splunk Search

I would like to use field value * as regex to match all values in my search

New Member

Hello,

I have dashboard with drop-down button. Token for button is named Area. Values are:
Name - Value:
All Areas - All
Business Critical - Critical
Public - Public
Internal - Internal

I have following query:

index=main sourcetype=source1 | rename Computer.SWArea as SWArea | eval variable=case("$Area$" == "All","*","$Area$" == "Critical","Critical","$Area$" == "Public","Public","$Area$" == "Internal","Internal") | search SWArea=variable |

The problem I faced is that when I choose All on my drop-down button it matches 0 events instead of all. The issue is that despite new field variable contains * this doesnt match as any in search section. Any ideas why ?

0 Karma
1 Solution

Legend

Change the value for All Areas to *. Like this

Name - Value:
All Areas - *
Business Critical - Critical
Public - Public
Internal - Internal

And you search to

index=main sourcetype=source1 Computer.SWArea="$Area$

View solution in original post

0 Karma

Legend

Change the value for All Areas to *. Like this

Name - Value:
All Areas - *
Business Critical - Critical
Public - Public
Internal - Internal

And you search to

index=main sourcetype=source1 Computer.SWArea="$Area$

View solution in original post

0 Karma