Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where's Where's Wildcarding?

code_monkey
Engager
‎06-06-2012 03:24 PM 
| where $click.name$ == if("$click.value$" == "Totals", * , "$click.value$")

This bit of code is intended to allow us to use a drill-down on a table that includes a generated row where the clicked value or the clicked value's field name may not be descriptive search terms, specifically a row of column totals. Obviously, it doesn't work.

  1. Where appears to lack the wildcarding semantic entirely, which makes sense I suppose. However, I rather need that bit of functionality.
  2. A bare * isn't really a valid return value here, a quoted one becomes a useless string literal, and an escaped one doesn't work either.

I was wondering if anyone had a better approach to this kind of last-minute substitution-chicanery, or if anyone knows how to get a match-any boolean expression out of a where clause?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-07-2012 03:49 AM

As far as I've understood your intention, you could probably do it this way:

... | where if("$click.value$" == "Totals", true(), $click.name$ == "$click.value$")

Edit:

Here's how you could use the eval command to create conditions for a search:

<some search conditions> [ | stats count | eval search=if("$click.value$" == "Totals", "*", "$click.name$=\"$click.value$\"") | fields search ]

The subsearch (within the square brackets) will expand to an additional search condition for the outer search. (The stats count part is just used to great a single result, thats rather hack/workaround)

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-07-2012 03:49 AM

As far as I've understood your intention, you could probably do it this way:

... | where if("$click.value$" == "Totals", true(), $click.name$ == "$click.value$")

Edit:

Here's how you could use the eval command to create conditions for a search:

<some search conditions> [ | stats count | eval search=if("$click.value$" == "Totals", "*", "$click.name$=\"$click.value$\"") | fields search ]

The subsearch (within the square brackets) will expand to an additional search condition for the outer search. (The stats count part is just used to great a single result, thats rather hack/workaround)

Reply
Solved! Jump to solution

ziegfried
Influencer
‎06-07-2012 06:31 AM

I've added an example on how you could use the eval command to create conditions for a search query.

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎06-07-2012 06:26 AM

The where command doesn't "return" anything. It will simply remove those results where the expression evaluates to false. You can use the eval command to create new fields.

0 Karma
Reply
Solved! Jump to solution

code_monkey
Engager
‎06-07-2012 06:21 AM

That does solve it, since where just wants a boolean. I'm still curious about how I'd return something like a wildcard or other non-string value.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...