Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Wildcard value in condition- Does Splunk parse asterisks as actual asterisks, not a wildcard?

ohlafl
Communicator
‎07-16-2015 05:00 AM

As I want to keep my dashboards as dynamic as possible I am trying to avoid writing specific conditions where as...

<condition value="object*">

instead of

<condition value="object1">
<condition value"object2">

... and so forth would be nice to avoid. Sadly it appears as if Splunk parses the asterisk as an actual asterisk and not a wildcard. Am I doing something wrong or is this not possible?

Thank you.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ohlafl
Communicator
‎07-22-2015 07:16 AM

I actually managed to create an ugly workaround:

Since Splunk simple XML does not differentiate between object* and * I had to reverse the logic by making "*" specific to * and anything else not specific to *. The code looks like this:

    <input type="dropdown" searchWhenChanged="true" token="form.city">
      <label>Change city:</label>
      <search>
        <query>index=os city | top city| sort city| fields city</query>
      </search>

      <choice value='[search index=geoLoc | eval magicString="*" | return $magicString]'>All</choice>
      <fieldForLabel>city</fieldForLabel>
      <fieldForValue>city</fieldForValue>
      <default>$form.city$</default>

      <change>
        <condition value='[search index=geoLoc | eval magicString="*" | return $magicString]'>
          <set token="form.object">euro</set>
        </condition>
        <condition value='*'>
          <set token="form.object">usa</set>
        </condition>
      </change>

Probably difficult to understand but to someone with the same problem this might be of some value. This of course only works if euro applies to * and USA to everything else but it could probably be further modified by adding more magic strings.

View solution in original post

Reply
Solved! Jump to solution

LIS
Path Finder
‎04-24-2023 03:41 AM

 

 

<condition match="'value' LIKE &quot;object%&quot;">
Reply
Solved! Jump to solution
Solution

ohlafl
Communicator
‎07-22-2015 07:16 AM

I actually managed to create an ugly workaround:

Since Splunk simple XML does not differentiate between object* and * I had to reverse the logic by making "*" specific to * and anything else not specific to *. The code looks like this:

    <input type="dropdown" searchWhenChanged="true" token="form.city">
      <label>Change city:</label>
      <search>
        <query>index=os city | top city| sort city| fields city</query>
      </search>

      <choice value='[search index=geoLoc | eval magicString="*" | return $magicString]'>All</choice>
      <fieldForLabel>city</fieldForLabel>
      <fieldForValue>city</fieldForValue>
      <default>$form.city$</default>

      <change>
        <condition value='[search index=geoLoc | eval magicString="*" | return $magicString]'>
          <set token="form.object">euro</set>
        </condition>
        <condition value='*'>
          <set token="form.object">usa</set>
        </condition>
      </change>

Probably difficult to understand but to someone with the same problem this might be of some value. This of course only works if euro applies to * and USA to everything else but it could probably be further modified by adding more magic strings.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-20-2015 06:36 PM

And you want to display actual city names in the dropdown, correct? I don't have a solution to that yet, but you can use a subsearch to get the value of geoLoc wherever it's to be used, based on the value of citi with wildcard. A sample search could be like this

index=something sourcetype=something [| gentimes start=-1 | eval geoLoc=case(like("$form.city$","euro%"),1,like("$form.city$","usa%"),2,1=1,null()) | table geoLoc] ...| rest of the search
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-16-2015 02:50 PM

With my limited experience with 'condition', I would say that it's not possible. Could you post your input control xml where you're trying to use this wildcard condition?

0 Karma
Reply
Solved! Jump to solution

ohlafl
Communicator
‎07-16-2015 11:41 PM 
<input type="dropdown" searchWhenChanged="false" token="form.city">
  <label>Change city:</label>
  <search>
    <query>index=geoData city| top city | sort city| fields city</query>
  </search>
  <choice value='era*'>All cities</choice>
  <fieldForLabel>city</fieldForLabel>
  <fieldForValue>city</fieldForValue>
  <default>$form.city$</default> <!-- This is for setting default to value passed from parent dashboard.

  <change>
    <condition value='"euro*'>
      <set token="geoLoc">1</set>
    </condition>
    <condition value='usa*'>
      <set token="geroLoc">2</set>
    </condition>
  </change>

</input>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...