- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jason_hotchkiss
Communicator
01-27-2022
03:39 PM
Hello Splunkers -
I am trying to filter any value that is wrapped in $, such as $host$or $value$. I thought the below would work, but it is not. Can someone point out what I am doing wrong? Thanks!
| eval dollar_sign=if(host_value=="$host$" OR host_value=="$value$", "yes", "no")
| search NOT dollar_sign=yes
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johnhuang
Motivator
01-27-2022
05:27 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer

SplunkTrust
01-28-2022
12:03 AM
If you are using this in a dashboard, the dollar signs have to be doubled up otherwise it is looking for tokens
| eval dollar_sign=if(host_value=="$$host$$" OR host_value=="$$value$$", "yes", "no")
| search NOT dollar_sign=yes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jason_hotchkiss
Communicator
01-28-2022
05:57 AM
I will keep this in mind if I end up using this in a dashboard. Thank you @ITWhisperer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johnhuang
Motivator
01-27-2022
05:27 PM
| eval dollar_sign=IF(LIKE(host_value, "$%$"), "yes", "no")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jason_hotchkiss
Communicator
01-28-2022
05:56 AM
This solved my use case. Thank you @johnhuang
