Splunk Search
Highlighted

Wildcard in Field Value for where clause

New Member

I am currently running this search to populate a table in a dashboard:

dedup clientcert sortby "-date" | where clientcert="$hostname$" | table partitions*size

The hosts share some similar partitions, however most differ. I am attempting to only display the results that have values in them.

0 Karma
Highlighted

Re: Wildcard in Field Value for where clause

SplunkTrust
SplunkTrust

You can use like or match function with where clause to specify wildcards in field values.

dedup clientcert sortby "-date" | where like(clientcert,"$host_name$%" | table partitions_*size

OR

dedup clientcert sortby "-date" | where match(clientcert,"$host_name$") | table partitions_*size
0 Karma
Highlighted

Re: Wildcard in Field Value for where clause

New Member

The search table still displays columns with data from other clientcert's

0 Karma
Highlighted

Re: Wildcard in Field Value for where clause

SplunkTrust
SplunkTrust

Try this -

| rename COMMENT as "Move the where clause before the dedup for efficiency." 
| where clientcert="$host_name$" 
| dedup clientcert sortby "-date" 

| rename COMMENT as "Leave in the field clientcert to enable the untable command, and to allow multiselect later if you want."
| table clientcert partitions_*size

| rename COMMENT as "Pull all the PartitionNames and Values to individual lines"
| untable clientcert PartitionName Value

| rename COMMENT as "Kill the ones that are null, then put it all back together as a table with fewer columns."
| where isnotnull(Value)
| xyseries clientcert PartitionName Value
0 Karma
Highlighted

Re: Wildcard in Field Value for where clause

New Member

How would this be run where the PartitionName is unknown by the user?

0 Karma
Highlighted

Re: Wildcard in Field Value for where clause

Esteemed Legend

Please show sample data, existing search, and desired output.

0 Karma
Highlighted

Re: Wildcard in Field Value for where clause

New Member

I am trying to filter out the columns that are blank in this table. Desired output should only show if there is a value. This is also supposed to be automated and dynamic, changing when a new client is selected and has different partitions

image?!(//C:\Users\msrusse\Pictures\Splunksearch.jpg)

0 Karma