I know this is a Splunk newbie question but I am having some issues getting this to work. I have a column field named "Account_Name" from a sourcetype="AD", for instance. I am creating a form where there are several empty text fields (Account Name, IP Address, Host Name, etc). I may have all of the fields or I may have just one piece of information pertaining to a particular event.

Based on which field contains a value (e.g. length of character string is greater than 0), I'd like to assign the character string a default value to search. So if I have a variable named $test_account_name$, I'd like to be able to run something like this:

eval XYZ=if($test_account_name$!=0, $test_account_name$,"*")

Here is where things go beyond my realm of Splunk understanding. At this point, the new variable XYZ should be assigned a value of $test_account_name$ OR contain a wildcard ("*"). Now, I want to be able to pass the contents of XYZ back to the original variable "Account_Name" in order to search the sourcetype with the results contained in XYZ.

I am sure there is a more appropriate function to perform this but I figured I would ask! Thanks in advance!