Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wildcard in Field Value for where clause

rmasons
New Member
‎07-20-2017 01:33 PM

I am currently running this search to populate a table in a dashboard:

dedup clientcert sortby "-date" | where clientcert="$host_name$" | table partitions_*size

The hosts share some similar partitions, however most differ. I am attempting to only display the results that have values in them.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-20-2017 02:13 PM

Please show sample data, existing search, and desired output.

0 Karma
Reply

rmasons
New Member
‎07-21-2017 05:44 AM

I am trying to filter out the columns that are blank in this table. Desired output should only show if there is a value. This is also supposed to be automated and dynamic, changing when a new client is selected and has different partitions

image?!(//C:\Users\msrusse\Pictures\Splunksearch.jpg)

Preview file
36 KB
0 Karma
Reply

DalJeanis
Legend
‎07-20-2017 02:06 PM

Try this - 

| rename COMMENT as "Move the where clause before the dedup for efficiency." 
| where clientcert="$host_name$" 
| dedup clientcert sortby "-date" 

| rename COMMENT as "Leave in the field clientcert to enable the untable command, and to allow multiselect later if you want."
| table clientcert partitions_*size

| rename COMMENT as "Pull all the PartitionNames and Values to individual lines"
| untable clientcert PartitionName Value

| rename COMMENT as "Kill the ones that are null, then put it all back together as a table with fewer columns."
| where isnotnull(Value)
| xyseries clientcert PartitionName Value
0 Karma
Reply

rmasons
New Member
‎07-21-2017 05:22 AM

How would this be run where the PartitionName is unknown by the user?

0 Karma
Reply

somesoni2
Revered Legend
‎07-20-2017 01:53 PM

You can use like or match function with where clause to specify wildcards in field values.

dedup clientcert sortby "-date" | where like(clientcert,"$host_name$%" | table partitions_*size

OR 

dedup clientcert sortby "-date" | where match(clientcert,"$host_name$") | table partitions_*size
0 Karma
Reply

rmasons
New Member
‎07-21-2017 05:22 AM

The search table still displays columns with data from other clientcert's

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...