Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Wildcard in Field Value for where clause

rmasons
New Member
‎07-20-2017 01:33 PM

I am currently running this search to populate a table in a dashboard:

dedup clientcert sortby "-date" | where clientcert="$host_name$" | table partitions_*size

The hosts share some similar partitions, however most differ. I am attempting to only display the results that have values in them.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-20-2017 02:13 PM

Please show sample data, existing search, and desired output.

0 Karma
Reply

rmasons
New Member
‎07-21-2017 05:44 AM

I am trying to filter out the columns that are blank in this table. Desired output should only show if there is a value. This is also supposed to be automated and dynamic, changing when a new client is selected and has different partitions

image?!(//C:\Users\msrusse\Pictures\Splunksearch.jpg)

Preview file
1 KB
0 Karma
Reply

DalJeanis
Legend
‎07-20-2017 02:06 PM

Try this - 

| rename COMMENT as "Move the where clause before the dedup for efficiency." 
| where clientcert="$host_name$" 
| dedup clientcert sortby "-date" 

| rename COMMENT as "Leave in the field clientcert to enable the untable command, and to allow multiselect later if you want."
| table clientcert partitions_*size

| rename COMMENT as "Pull all the PartitionNames and Values to individual lines"
| untable clientcert PartitionName Value

| rename COMMENT as "Kill the ones that are null, then put it all back together as a table with fewer columns."
| where isnotnull(Value)
| xyseries clientcert PartitionName Value
0 Karma
Reply

rmasons
New Member
‎07-21-2017 05:22 AM

How would this be run where the PartitionName is unknown by the user?

0 Karma
Reply

somesoni2
Revered Legend
‎07-20-2017 01:53 PM

You can use like or match function with where clause to specify wildcards in field values.

dedup clientcert sortby "-date" | where like(clientcert,"$host_name$%" | table partitions_*size

OR 

dedup clientcert sortby "-date" | where match(clientcert,"$host_name$") | table partitions_*size
0 Karma
Reply

rmasons
New Member
‎07-21-2017 05:22 AM

The search table still displays columns with data from other clientcert's

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...